Re: clients ignoring brokenness of sites

tor 2009-07-23 klockan 14:00 +1200 skrev Adrien de Croy:

> Normally this wouldn't be particularly interesting - just another broken 
> site.  However all the browsers I tested swallowed this without 
> complaining and displayed the body.  I tested IE8, Chrome, FF3.5 and 
> Opera 9.6.4.  Each of the lines in the response was terminated by CRLF 
> (not bare LF), so I'm struggling to see how anyone can interpret the PHP 
> warning as anything resembling a valid header (even wrapped, since no 
> leading WS).


your message got me to test how Squid behaves, and the result was not
quite what I remembered. It by default logs those non-header error lines
without a : in the debug log and strips them from the response. In this
setting it also removes spaces before : if any is seen. There is a
setting to barf loudly and reject the response but it's not enabled by
default (it then stops at "PHP Warning:" barfing on the space

Servers allowing applications to send headers like this is a security
issue as they open up for cache poisoning attacks if an attacker can
inject data there, but provided proxies handle corrupted messages
reasonably well it's isolated to their own content so it's not
considered a major issue.


Received on Thursday, 23 July 2009 19:48:55 UTC