nginx does not allow multiple lines in a header value?

Adam Greene adam at sweetspot.dm
Mon Feb 23 04:41:03 MSK 2009


hey folks,

I ran into a funny issue with nginx when working on accepting oauth calls.
Nginx is stripping the authorization header out if the field value contains
newlines.  Http 1.1 guidelines state that this is valid:



to recreate, do the following:
* add $http_authorization to your nginx 'log_format main' clause so you can
see what is happening (or print out the headers from wherever nginx proxies
the call to)

* run a curl command like this against your nginx server:
curl -d '' -H 'Authorization: OAuth realm="",
    oauth_signature_method="HMAC-SHA1",
    oauth_signature="RmNuGxdkf6EaU%2Fy4PXgHj07aA3I%3D",
    oauth_nonce="49a19e21eebf0",
    oauth_timestamp="1235328545",
    oauth_token="some_token",
    oauth_consumer_key="consumer_key",
    oauth_version="1.0"' http://your.server.com

* you'll see the header value terminated after the first 'OAuth realm="",'
* try the same curl command but remove the return characters, and it will
work

the same behavior occurs when I strip out all proxy, compression, and ssl
and try to leave a very basic config file.  here is some information about
nginx:

# nginx -V
nginx version: nginx/0.6.34
built by gcc 4.2.4 (Ubuntu 4.2.4-1ubuntu3)
configure arguments: --sbin-path=/usr/sbin --conf-path=/etc/nginx/nginx.conf
--pid-path=/var/run/nginx.pid --with-http_ssl_module
--with-http_stub_status_module
--add-module=/tmp/src/nginx/modules/nginx-upstream-fair

I'm a bit surprised that I'm seeing this and while I'm starting to suspect
nginx I'm sure it is possible that I'm missing something.  If this is a
valid bug, let me know what you would like in terms of additional
documentation, examples, etc.

thank you!
Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nginx.org/pipermail/nginx/attachments/20090222/8c99124a/attachment.html>


More information about the nginx mailing list