Skip Menu |
 

This queue is for tickets about the libwww-perl CPAN distribution.

Report information
The Basics
Id: 2531
Status: resolved
Priority: 0/
Queue: libwww-perl

People
Owner: Nobody in particular
Requestors: balmas [...] ovid.com
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 5.69
Fixed in: (no value)



Subject: HTTP::Daemon message header restriction causes failure with Norton Internet Security
Download (untitled) / with headers
text/plain 1.7k
The get_request() method of HTTP::Daemon (version 1.26) does not comply with the HTTP 1.1 spec regarding the field-name component of message headers. This is causing HTTP::Daemon to fail in environments running the Norton Internet Security firewall product. Per the HTTP 1.1 spec (at ftp://ftp.isi.edu/in-notes/rfc2616.txt <ftp://ftp.isi.edu/in-notes/rfc2616.txt> ): message-header = field-name ":" [ field-value ] field-name = token The HTTP 1.1 spec further defines "token" to be: token = 1*<any CHAR except CTLs or separators> separators = "(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\" | <"> | "/" | "[" | "]" | "?" | "=" | "{" | "}" | SP | HT CTL = <any US-ASCII control character (octets 0 - 31) and DEL (127)> SP = <US-ASCII SP, space (32)> HT = <US-ASCII HT, horizontal-tab (9)> However, HTTP::Daemon::get_request() restricts field-names to those that match the following regex: /^([\w\-]+)\s*:\s*(.*)/ This causes HTTP::Daemon to improperly truncate posts from environments running the Norton Internet Security Firewall, which adds a header that looks something like: ~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~ When HTTP::Daemon::get_request() encounters this header, it assumes that it should quit processing headers and begin processing the message body. This causes the remaining headers to be ignored. The following regex fixes the problem and is in compliance with the HTTP 1.1 spec: m/^([^\x00-\x1f\x7f()<>@,;:\\"\/[\]?={}\x20\x09]+)\s*:\s*(.*)/ Note that the inclusion of \s* before the : is actually in violation of the HTTP 1.1 spec, so to be in strict compliance it probably should be removed.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.