Re: What is WARNING: suspicious CR characters in HTTP header ?

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 15 Feb 2005 00:08:30 +0100 (CET)

On Tue, 15 Feb 2005, Evgeny Kotsuba wrote:

> Users now are standing up on these rakes and say: "Why today I can't do
> thing that I can do yesterday ?"
> They don't want to know - did they can parse somethig or not , they know
> that it woked yesterday.

It is a balance in how much crap we should accept from web servers and
what to reject as plain invalid data.

The source of this warning/reject from Squid is the "Reject malformed HTTP
requests and responses that conflict with the HTTP specifications" patch,
which is a security related patch.

It you think it is a good idea you are free to disable the suspicious CR
check from your Squid, but this is not endorsed by the Squid developers
and done on your own risk. It won't harm your Squid but may/will harm
others.

Note: The use of bare CRs as part of header data is way outside of the
HTTP specifications (CR is a CTL, and CTL characters is not valid within
header contents), and in addition violates at least one explicit MUST
level requirements.

Regards
Henrik
Received on Mon Feb 14 2005 - 16:08:32 MST

This archive was generated by hypermail pre-2.1.9 : Fri Feb 25 2005 - 12:00:03 MST