From: William A. Rowe Jr Date: Mon, 29 Aug 2016 17:30:53 +0000 (+0000) Subject: Clarify documentation based on concensus decisions discussed on dev@ X-Git-Tag: 2.5.0-alpha~1185 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9454686cdef5b16ad6f13d407c77a440e3e62bff;p=apache Clarify documentation based on concensus decisions discussed on dev@ and reflecting the current implementation. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1758265 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/core.xml b/docs/manual/mod/core.xml index eb9d5bea89..3ebd81da27 100644 --- a/docs/manual/mod/core.xml +++ b/docs/manual/mod/core.xml @@ -1253,10 +1253,8 @@ EnableSendfile On HttpProtocolOptions Modify restrictions on HTTP Request Messages HttpProtocolOptions [Strict|Unsafe] [StrictURL|UnsafeURL] - [StrictWhitespace|UnsafeWhitespace] [RegisteredMethods|LenientMethods] - [Allow0.9|Require1.0] -HttpProtocolOptions Strict StrictURL StrictWhitespace -LenientMethods Allow0.9 + [RegisteredMethods|LenientMethods] [Allow0.9|Require1.0] +HttpProtocolOptions Strict StrictURL LenientMethods Allow0.9 server config virtual host 2.2.32 or 2.4.24 and later @@ -1281,9 +1279,14 @@ LenientMethods Allow0.9 >RFC 7230 §9.4 Request Splitting and §9.5 Response Smuggling call out only two of the potential - risks of accepting non-conformant request messages. As of the introduction - of this directive, all grammer rules of the specification are enforced in - the default Strict operating mode.

+ risks of accepting non-conformant request messages, while +

RFC 7230 §3.5 "Message Parsing Robustness" identify the + risks of accepting obscure whitespace and request message formatting. + As of the introduction of this directive, all grammer rules of the + specification are enforced in the default Strict operating + mode, and the strict whitespace suggested by section 3.5 is enforced + and cannot be relaxed.

RFC 3986 §2.2 and 2.3 define "Reserved Characters" and @@ -1293,21 +1296,9 @@ LenientMethods Allow0.9 containing invalid characters. This rule can be relaxed with the UnsafeURI option to support badly written user-agents.

-

RFC 7230 §3.5 "Message Parsing Robustness" permits, and - identifies potential risks of parsing messages containing non-space - character whitespace. While the spec defines that exactly one space - seperates the URI from the method, and the protocol from the URI, and - only space and horizontal tab characters are allowed in request header - field contents, the Apache HTTP Server was traditionally lenient in - accepting other whitespace. The default StrictWhitespace - option will now reject non-conforming requests. The administrator may - toggle the UnsafeWhitespace option to continue to honor - non-conforming requests, with considerable risk of proxy interactions.

- -

Users are strongly cautioned against toggling the Unsafe, - UnsafeURI or UnsafeWhitespace modes of operation - particularly on outward-facing, publicly accessible server deployments. +

Users are strongly cautioned against toggling the Unsafe + or UnsafeURI modes of operation, particularly on + outward-facing, publicly accessible server deployments. If an interface is required for faulty monitoring or other custom service consumers running on an intranet, users should toggle only those Unsafe options which are necessary, and only on a specific virtual host configured