Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Configuring option 2 of RFC 7230 paragraph 5 (HTTP header folding)
The "message/http" content-type is typically only seen in the response body content to a TRACE method (which is unsupported by Jetty for security reasons).

eg:

Host: www.company.com
Connection: Close
(blank line)

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 15 Feb 2017 09:44:21 GMT
Content-Type: message/http
Connection: close
Server: ImpressiveServer/1.2.3.4 (Unix)
Connection: close
Via: 1.1 bogusproxy
   
9d
TRACE / HTTP/1.1
Connection: keep-alive
Via: 1.1 bogusproxy
X-Foo: Value1,
       Value2,
       Value3
X-Forwarded-For: 111.69.185.59, 111.69.5.234
   
0


It was removed from the spec specifically because it causes security issues. (header injection)
Note: Internet Explorer, Chrome, Firefox, and most proxies do not support header folding anymore.

What are you trying to do is going to be increasingly more difficult as time goes on (not only will Jetty reject it, but so must http proxies and the like)


   Historically, HTTP header field values could be extended over
   multiple lines by preceding each extra line with at least one space
   or horizontal tab (obs-fold).  This specification deprecates such
   line folding except within the message/http media type
   (Section 8.3.1).  A sender MUST NOT generate a message that includes
   line folding (i.e., that has any field-value that contains a match to
   the obs-fold rule) unless the message is intended for packaging
   within the message/http media type.

Your clients MUST NOT send folded http headers.
It is highly unlikely that Jetty will reintroduce header folding.
You'll have to make a very good (security minded) case for it.


Joakim Erdfelt / joakim@xxxxxxxxxxx

On Wed, Feb 15, 2017 at 10:13 AM, Lothar Kimmeringer <job@xxxxxxxxxxxxxx> wrote:
Hi,

I switched from 9.2 to 9.3 and two dozens of testcases now fail due
to the fact that they create HTTP-requests containing folded HTTP-
request-headers. I'm aware of Bug 444222 where it's mentioned that
Jetty 9.3 will follow RFC 7230 more strictly so I know why I now
get HTTP 400 responses.

The RFC allows to ways of reacting to folded HTTP-headers:

| A server that receives an obs-fold in a request message that is not
|    within a message/http container MUST either reject the message by
|    sending a 400 (Bad Request), preferably with a representation
|    explaining that obsolete line folding is unacceptable, or replace
|    each received obs-fold with one or more SP octets prior to
|    interpreting the field value or forwarding the message downstream.

Since we use Jetty as HTTP-server for AS2, WebService- and RESTful-
Service data exchanges on a couple thousand distinct installations
where we have absolutely no control over the other side sending in
these requests, the default-behavior will definetly break production
EDI setups. So I'm forced to use option 2 of the RFC.

How can I set up Jetty to replace line-breaks to spaces in order
to keep existing data exchanges running with the new version?


Thanks and best regards,

Lothar Kimmeringer
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Back to the top