W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2009

Re: clients ignoring brokenness of sites

From: Adrian Chadd <adrian@creative.net.au>
Date: Thu, 23 Jul 2009 10:16:16 +0800
To: Adrien de Croy <adrien@qbik.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20090723021616.GD8772@skywalker.creative.net.au>
On Thu, Jul 23, 2009, Adrien de Croy wrote:

> PHP Warning:  PHP Startup: sdo: Unable to initialize module
> Module compiled with module API=20060613, debug=0, thread-safety=1
> PHP    compiled with module API=20050922, debug=0, thread-safety=1
> These options need to match
> in Unknown on line 0

Hah nice!

> Normally this wouldn't be particularly interesting - just another broken 
> site.  However all the browsers I tested swallowed this without 
> complaining and displayed the body.  I tested IE8, Chrome, FF3.5 and 
> Opera 9.6.4.  Each of the lines in the response was terminated by CRLF 
> (not bare LF), so I'm struggling to see how anyone can interpret the PHP 
> warning as anything resembling a valid header (even wrapped, since no 
> leading WS).
> 
> Isn't this a potentially serious security problem?
> 
> It's hard to be the only proxy that decides to demonstrate how broken 
> this site is - customers don't understand....

I've been seeing other random non-header stuff in HTTP reply headers.
Squid also complains and iirc drop the request as invalid by default.

HTTP/1.1 200 OK                                                                                                                                                    
Content-Type: image/jpeg                                                                                                                                           
Vary: Accept-Encoding                                                                                                                                              
Accept_170C_49EDDAC0                                                                                                                                               
expires: Thu, 15 Apr 2011 20:00:00 GMT                                                                                                                             
Content-Length: 5900                                                                                                                                               
Date: Mon, 13 Jul 2009 08:17:12 GMT                                                                                                                                
Connection: close                                                                                                                                                  
age: 0                                                                                                                                                             
X-Cache: HIT

I'd love to know what generates that.



Adrian
Received on Thursday, 23 July 2009 02:16:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:08 GMT