PQ75936: WEBSPHERE PLUGIN DOES NOT HANDLE HTTP REQUEST OR RESPONSE WITH HEADER FIELDS THAT ARE EXTENDED OVER MULTIPLE LINES | |||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description HTTP/1.0 RFC1945 says: http://www.w3.org/Protocols/rfc1945/rfc1945 Header fields can be extended over multiple lines by preceding each extra line with at least one SP or HT, though this is not recommended. HTTP-header = field-name ":" [ field-value ] CRLF field-name = token field-value = *( field-content | LWS ) field-content = <the OCTETs making up the field-value and consisting of either *TEXT or combinations of token, tspecials, and quoted-string> . Customer provided a testcase with multiline headers on response. Here are my findings: a) Web Container seems to handle multiline http headers properly (bypassing plugin customer's testcase worked) b) WebSphere Plug-in experiences a problem with handling multiline headers . In Plugin trace I can see: TRACE: lib_htresponse: htresponseRead: Reading the response: TRACE: HTTP/1.1 200 OK TRACE: Server: WebSphere Application Server/4.0 TRACE: Content-Type: text/html TRACE: X-Some-Header: very TRACE: simple TRACE: lib_htresponse: htresponseSetError: Setting the error |3| ERROR: ws_common: websphereExecute: Failed to read from a new stream; App Server may have gone down during read Here are my comments & questions: How does WAS 4.0 & 5.0 plugin handle internally parameters that are equivalent to these directives in IHS/Apache 2.0 ? . LimitRequestFields LimitRequestFieldSize LimitRequestLine . Do we handle a scenario when the plugin receives a multiline http request/response that is split into extremely many lines, such as 5 000 ? If we do not limit it internally, is the limitation set by LimitRequestFieldSize parameter in IHS ? . In WebSphere 5.0.x will be supported internal HTTP transport for a production (for WAS 4.0 only standalone webserver was supported for a production). Do or will we have in WAS 5.0 WebContainer these parameters that are configurable: . LimitRequestBody LimitXMLRequestBody LimitRequestFields LimitRequestFieldSize LimitRequestLineLocal fix None or not using http requests with multiline headers at all. It does not prevent an attacker in sending this type of requests to the WebSphere plugin resulting that plugin will mark the AppServer down.Problem summary **************************************************************** * USERS AFFECTED: WebSphere Application Server users of * * multi-line response headers. * **************************************************************** * PROBLEM DESCRIPTION: The WebSphere plugins did not support a * * multi-line response header. * **************************************************************** * RECOMMENDATION: * **************************************************************** The WebSphere plugins returned an INVALID_FORMAT error when the response header from the backend server was folded in to multiple lines.Problem conclusion Added support to handle multi-line response headers from a backend server.Temporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
SRLS
|
Document Information |
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ75936
IBM Group: Software Group
Modified date: Jul 31, 2003
(C) Copyright IBM Corporation 2000, 2006. All Rights Reserved.