multi-line (folded) HTTP header wrongly parsed #53

Closed
moriyoshi opened this Issue Feb 18, 2014 · 7 comments

Projects

None yet

3 participants

@moriyoshi

According to RFC2616 2.2., the parsed value of a folded header is supposed to have continuations intact or replaced with a single SP though waitress strips them all (see this).

This behaviour keep developers from dealing with folded headers that are rendered with meaningful occurrences of continuations.

HTTP/1.1 header field values can be folded onto multiple lines if the
continuation line begins with a space or horizontal tab. All linear
white space, including folding, has the same semantics as SP. A
recipient MAY replace any linear white space with a single SP before
interpreting the field value or forwarding the message downstream.

  LWS            = [CRLF] 1*( SP | HT )
@moriyoshi

Any comments on this?

@mcdonc
Member
mcdonc commented Jun 16, 2014

A pull request would help push this through more quickly if there's an issue.

@moriyoshi

There's definitely an issue. I'm wondering why you saw this as bogus...

@mcdonc
Member
mcdonc commented Jul 30, 2014

I didn't say anything about it being bogus. I said a pull request would help it along more quickly if there's an issue. That's still true.

@moriyoshi

Okay, there are actually several ways to fix this. First one is to replace every folding by a single SP character. Second one is to keep foldings in the parsing results as they have been brought in. That's why I initially thought it would need a discussion before making a patch for that.

@moriyoshi

As a sidenote, I hit this bug in the real-world setup of applications and it wasn't my intention to try to do some nitpicking around a dark corner of the HTTP spec.

@mcdonc
Member
mcdonc commented Jul 30, 2014

I guess we could try to replace foldings with a space.

@davisagli davisagli added the bug label Apr 13, 2015
@davisagli davisagli closed this in #90 Apr 13, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment