diff options
| author | William A. Rowe Jr <wrowe@apache.org> | 2016-10-14 22:48:43 +0200 |
|---|---|---|
| committer | William A. Rowe Jr <wrowe@apache.org> | 2016-10-14 22:48:43 +0200 |
| commit | 84ce5d25db7e83ad4103ea106a6f2256f618bc1c (patch) | |
| tree | 8c19ba9914d4f117324d39f092fcbad033599b9b /docs/manual/mod/core.xml | |
| parent | mod_proxy_http2: resolving last 2 reported dup symbol clashes (diff) | |
| download | apache2-84ce5d25db7e83ad4103ea106a6f2256f618bc1c.tar.xz apache2-84ce5d25db7e83ad4103ea106a6f2256f618bc1c.zip | |
Dropped the never-released ap_has_cntrls() as it had very limited
and inefficient application at that, added ap_scan_vchar_obstext()
to accomplish a similar purpose.
Dropped HttpProtocolOptions StrictURL option, this will be better
handled in the future with a specific directive and perhaps multiple
levels of scrutiny, use ap_scan_vchar_obstext() to simply ensure there
are no control characters or whitespace within the URI.
Changed the scanning of the response header table by check_headers()
to follow the same rulesets as reading request headers. Disallow any
CTL character within a response header value, and any CTL or whitespace
in response header field name, even in strict mode.
Apply HttpProtocolOptions Strict to chunk header parsing, invalid
whitespace is invalid, line termination must follow CRLF convention.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1764961 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'docs/manual/mod/core.xml')
| -rw-r--r-- | docs/manual/mod/core.xml | 35 |
1 files changed, 13 insertions, 22 deletions
diff --git a/docs/manual/mod/core.xml b/docs/manual/mod/core.xml index db65d5eb33..87d53c1c8c 100644 --- a/docs/manual/mod/core.xml +++ b/docs/manual/mod/core.xml @@ -1263,9 +1263,9 @@ EnableSendfile On <directivesynopsis> <name>HttpProtocolOptions</name> <description>Modify restrictions on HTTP Request Messages</description> -<syntax>HttpProtocolOptions [Strict|Unsafe] [StrictURL|UnsafeURL] - [RegisteredMethods|LenientMethods] [Allow0.9|Require1.0]</syntax> -<default>HttpProtocolOptions Strict StrictURL LenientMethods Allow0.9</default> +<syntax>HttpProtocolOptions [Strict|Unsafe] [RegisteredMethods|LenientMethods] + [Allow0.9|Require1.0]</syntax> +<default>HttpProtocolOptions Strict LenientMethods Allow0.9</default> <contextlist><context>server config</context> <context>virtual host</context></contextlist> <compatibility>2.2.32 or 2.4.24 and later</compatibility> @@ -1277,11 +1277,11 @@ EnableSendfile On (<a href="https://tools.ietf.org/html/rfc7230#section-3.2" >RFC 7230 §3.2</a>), which are now applied by default or using the <code>Strict</code> option. Due to legacy modules, applications or - custom user-agents which must be deperecated, <code>Unsafe</code> - and <code>UnsafeURL</code> options have been added to revert to the legacy - behaviors. These rules are applied prior to request processing, so must be - configured at the global or default (first) matching virtual host section, - by IP/port interface and not by name, to be honored.</p> + custom user-agents which must be deperecated the <code>Unsafe</code> + option has been added to revert to the legacy behaviors. These rules + are applied prior to request processing, so must be configured at the + global or default (first) matching virtual host section, by IP/port + interface (and not by name) to be honored.</p> <p>Prior to the introduction of this directive, the Apache HTTP Server request message parsers were tolerant of a number of forms of input @@ -1299,21 +1299,12 @@ EnableSendfile On mode, and the strict whitespace suggested by section 3.5 is enforced and cannot be relaxed.</p> - <p><a href="https://tools.ietf.org/html/rfc3986#section-2.2" - >RFC 3986 §2.2 and 2.3</a> define "Reserved Characters" and - "Unreserved Characters". All other character octets are required to - be %XX encoded under this spec, and RFC7230 defers to these requirements. - By default the <code>StrictURI</code> option will reject all requests - containing invalid characters. This rule can be relaxed with the - <code>UnsafeURI</code> option to support badly written user-agents.</p> - <p>Users are strongly cautioned against toggling the <code>Unsafe</code> - or <code>UnsafeURI</code> modes of operation, particularly on - outward-facing, publicly accessible server deployments. - If an interface is required for faulty monitoring or other custom service - consumers running on an intranet, users should toggle only those Unsafe - options which are necessary, and only on a specific virtual host configured - to service only their internal private network.</p> + mode of operation, particularly on outward-facing, publicly accessible + server deployments. If an interface is required for faulty monitoring + or other custom service consumers running on an intranet, users should + toggle the Unsafe option only on a specific virtual host configured + to service their internal private network.</p> <p>Reviewing the messages logged to the <directive>ErrorLog</directive>, configured with <directive>LogLevel</directive> <code>debug</code> level, |