Request methods with hyphens

Maxim Dounin mdounin at mdounin.ru
Thu Jul 11 12:23:25 UTC 2013


Hello!

On Thu, Jul 11, 2013 at 08:38:47AM +0900, Hiroaki Nakamura wrote:

> Hi,
> 
> 2013/7/10 Maxim Dounin <mdounin at mdounin.ru>:
> > Hello!
> >
> > On Wed, Jul 10, 2013 at 10:47:35PM +0900, Hiroaki Nakamura wrote:
> >
> >> Hi all,
> >>
> >> I found nginx rejects request methods with hyphens like
> >> VERSION-CONTROL with the status code 400.
> >> I got the following debug log:
> >>
> >> 2013/07/10 13:55:29 [info] 79048#0: *4 client sent invalid method
> >> while reading client request line, client: 127.0.0.1, server:
> >> localhost, request: "VERSION-CONTROL / HTTP/1.1"
> >> 2013/07/10 13:55:29 [debug] 79048#0: *4 http finalize request: 400, "?" a:1, c:1
> >
> > Is it a method used by some real-world software?
> 
> VERSION-CONTROL is defined in the Versioning Extensions to WebDAV spec.
> http://www.webdav.org/specs/rfc3253.html

The question still applies.

[...]

> > As of now nginx rejects anything which isn't uppercase latin
> > letters (or underscore) as syntactically invalid (and hence 400).
> 
> According to RFC2616,  any CHAR except CTLs or separators is
> syntactically valid.

For sure.  But it doesn't mean that (more strict) syntax rules as 
applied by nginx needs to be changed (unless there is a good 
reason).

> > I don't think that current behaviour should be changed unless
> > there are good reasons to.  If there are good reasons, we probably
> > should do something similar to underscores_in_headers, see
> > http://nginx.org/r/underscores_in_headers.
> 
> I would like to use limit_except to accept only HEAD, GET and POST methods,
> and return 405 (Method Not Allowed) or 501 (Not Implemented) for the
> other methods.
> Is this a good reason?

Doesn't looks like a good reason for me.

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx-devel mailing list