Have Apache Accept LF vs CRLF in Request Headers

Asked 23/4, 2017 at 17:40 Answered 4/5, 2017 at 20:4

Solved apache mod-rewrite http-headers newline rfc2616

I have a legacy product that I'm trying to support on an Apache server and the server only after a recent update began rejecting request headers which only used LF for newlines and it's a tall order to rebuild it because of how old the code base is. Is there a setting somewhere that can be used or a mod_rewrite command that can be leveraged to allow request headers which use LF instead of CRLF or that will re-write LF's as CRLF's in request headers?

Example header from app:

Host: www.ourhostname.com:80\n
Accept-language: en\n
user_agent: Our Old Application\n
\n

If I hex edit the file to change the \n to \r\n, it works, but hex editing a file for release as an update isn't desired and I'm trying to find something server-side to get Apache to stop choking on LF's by themselves. Thanks in advance for any help on this problem!

Sardella answered 23/4, 2017 at 17:40 Comment(0)

we had the same problem and found Apache's fixed vulnerability:

important: Apache HTTP Request Parsing Whitespace Defects CVE-2016-8743 https://httpd.apache.org/security/vulnerabilities_24.html

These defects are addressed with the release of Apache HTTP Server 2.4.25 and coordinated by a new directive;

HttpProtocolOptions Strict

which is the default behavior of 2.4.25 and later. By toggling from 'Strict' behavior to 'Unsafe' behavior, some of the restrictions may be relaxed to allow some invalid HTTP/1.1 clients to communicate with the server, but this will reintroduce the possibility of the problems described in this assessment. Note that relaxing the behavior to 'Unsafe' will still not permit raw CTLs other than HTAB (where permitted), but will allow other RFC requirements to not be enforced, such as exactly two SP characters in the request line.

So, HttpProtocolOptions Unsafe directive may be your solution. We decided not to use it.

Mccrae answered 3/5, 2017 at 11:54 Comment(1)

This fixed our issue. Unfortunately can't specify it down to a file using the <Files> directive to keep the rest of the site protected, but it does work at the vhost level. Thanks for the info! – Sardella 8/5, 2017 at 21:41

You could put a reverse proxy of some kind in front of Apache and have that handle converting the request to something Apache-friendly for you. Perhaps Varnish Cache would work, which can also function as just a HTTP processor, or NGINX. Another option may be a little Node.js app to accept the squiffy input and convert it to something better for you while piping it to the back-end.

Fibrous answered 4/5, 2017 at 20:4 Comment(0)

Recommended topics

Hot tags