We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Debian 12, Linux 6.10.2 Nginx built from source at 00637cc.
From RFC 9112:
field-line = field-name ":" OWS field-value OWS
From RFC 9110:
OWS = *( SP / HTAB )
The RFCs require that HTTP headers allow both spaces and tabs in the optional whitespace before a header value.
Nginx allows only spaces in this context, and incorrectly disallows tabs.
printf 'GET / HTTP/1.1\r\nHost:\twhatever\r\n\r\n' | nc localhost 80
HTTP/1.1 400 Bad Request Server: nginx/1.27.2 Date: Sun, 15 Sep 2024 00:09:24 GMT Content-Type: text/html Content-Length: 157 Connection: close <html> <head><title>400 Bad Request</title></head> <body> <center><h1>400 Bad Request</h1></center> <hr><center>nginx/1.27.2</center> </body> </html>
printf 'GET / HTTP/1.1\r\nHost: whatever\r\n\r\n' | nc localhost 80
HTTP/1.1 200 OK Server: nginx/1.27.2 Date: Sun, 15 Sep 2024 00:32:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive 9d {"headers":[["SG9zdA==","d2hhdGV2ZXI="],["Q29udGVudC1MZW5ndGg=",""],["Q29udGVudC1UeXBl",""]],"body":"","method":"R0VU","uri":"Lw==","version":"SFRUUC8xLjE="} 0
These two requests are equivalent per the RFCs, and should therefore get the same response.
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Environment
Debian 12, Linux 6.10.2
Nginx built from source at 00637cc.
Description
From RFC 9112:
From RFC 9110:
The RFCs require that HTTP headers allow both spaces and tabs in the optional whitespace before a header value.
Nginx allows only spaces in this context, and incorrectly disallows tabs.
Steps to reproduce
These two requests are equivalent per the RFCs, and should therefore get the same response.
The text was updated successfully, but these errors were encountered: