|Re: [jetty-users] Configuring option 2 of RFC 7230 paragraph 5 (HTTP header folding)|
The "message/http" content-type is typically only seen in the response body content to a TRACE method (which is unsupported by Jetty for security reasons).eg:TRACE http://www.company.com/ HTTP/1.1Host: www.company.comConnection: Close(blank line)HTTP/1.1 200 OKTransfer-Encoding: chunkedDate: Wed, 15 Feb 2017 09:44:21 GMTContent-Type: message/httpConnection: closeServer: ImpressiveServer/184.108.40.206 (Unix)Connection: closeVia: 1.1 bogusproxy9dTRACE / HTTP/1.1Connection: keep-aliveHost: www.company.comVia: 1.1 bogusproxyX-Foo: Value1,Value2,Value3X-Forwarded-For: 220.127.116.11, 18.104.22.1680It was removed from the spec specifically because it causes security issues. (header injection)Note: Internet Explorer, Chrome, Firefox, and most proxies do not support header folding anymore.What are you trying to do is going to be increasingly more difficult as time goes on (not only will Jetty reject it, but so must http proxies and the like)The spec is pretty clear https://tools.ietf.org/
html/rfc7230#section-3.2.4Historically, HTTP header field values could be extended over multiple lines by preceding each extra line with at least one space or horizontal tab (obs-fold). This specification deprecates such line folding except within the message/http media type (Section 8.3.1). A sender MUST NOT generate a message that includes line folding (i.e., that has any field-value that contains a match to the obs-fold rule) unless the message is intended for packaging within the message/http media type.Your clients MUST NOT send folded http headers.It is highly unlikely that Jetty will reintroduce header folding.You'll have to make a very good (security minded) case for it.On Wed, Feb 15, 2017 at 10:13 AM, Lothar Kimmeringer <job@xxxxxxxxxxxxxx> wrote:Hi,
I switched from 9.2 to 9.3 and two dozens of testcases now fail due
to the fact that they create HTTP-requests containing folded HTTP-
request-headers. I'm aware of Bug 444222 where it's mentioned that
Jetty 9.3 will follow RFC 7230 more strictly so I know why I now
get HTTP 400 responses.
The RFC allows to ways of reacting to folded HTTP-headers:
| A server that receives an obs-fold in a request message that is not
| within a message/http container MUST either reject the message by
| sending a 400 (Bad Request), preferably with a representation
| explaining that obsolete line folding is unacceptable, or replace
| each received obs-fold with one or more SP octets prior to
| interpreting the field value or forwarding the message downstream.
Since we use Jetty as HTTP-server for AS2, WebService- and RESTful-
Service data exchanges on a couple thousand distinct installations
where we have absolutely no control over the other side sending in
these requests, the default-behavior will definetly break production
EDI setups. So I'm forced to use option 2 of the RFC.
How can I set up Jetty to replace line-breaks to spaces in order
to keep existing data exchanges running with the new version?
Thanks and best regards,
jetty-users mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
Back to the top