Erroneous handling of long request uris?

mitch.socialcast nginx-forum at nginx.us
Wed Feb 10 04:57:53 MSK 2010


So as you can see its intended this way to send only body without headers.

Thank you for taking the time to clarify that Rob -- I didn't realize that this was an attempt to support HTTP 0.9.

I did some searching, and found the following two 'specifications' for HTTP 0.9:

A) http://www.w3.org/Protocols/HTTP/AsImplemented.html
B) http://www.w3.org/Protocols/HTTP/HTTP2.html

Document A describes the prototype HTTP client as implemented by the W3C.  This server only provides a subset of the HTTP 0.9 specification, as clearly indicated in the opening lines of the document.  As far as I can tell, this prototype is the only implementation that does not always include a HTTP status line in its response (please feel free to correct me if I'm missing something)

Document B describes the full HTTP 0.9 protocol. After briefly skimming the specification, I found two portions which are relevant to this discussion:

B.1) "The Response" http://www.w3.org/Protocols/HTTP/Response.html
B.2) "Note: Client tolerance of bad servers" http://www.w3.org/Protocols/HTTP/HTRESP.html

B.1 clearly defines a http response as starting with the following:

     ::=         
    ::=    3*
     ::=    3*
           ::=    0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
   ::=   * 

To me, this means that compliant HTTP 0.9+ servers always return the status line.

B.2 however notes that HTTP 0.9 _clients_ should be tolerant of servers that behave like the W3C prototype HTTP server in that they should be able to deal with responses which do not start with an HTTP status line.  This implies that the vulnerability scan software is not technically a HTTP 0.9 compliant client, but (as far as I can tell) does not suggest that a compliant server should ever return an HTTP response without a status code.

To me, this suggests that the status-line-less response that nginx provides when it encounters an extremely long URI is not compliant with the HTTP 0.9 specification.  If this is not the case, please let me know.

Regardless of our interpretations of the HTTP 0.9 specification(s), I feel that the vast majority of HTTP clients have abandoned the nearly two-decade old HTTP 0.9 protocol in favor of HTTP 1.0 or 1.1 -- servers which implement these protocols clearly MUST return a status line in order to be compliant; in light of this does it really make sense to behave inappropriately according to the successors to HTTP 0.9 to ensure support for (what I assume to be) a miniscule fraction of the set of HTTP clients in 2010?

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,52862,52902#msg-52902




More information about the nginx mailing list