PQ75936: WEBSPHERE PLUGIN DOES NOT HANDLE HTTP REQUEST OR RESPONSE WITH HEADER FIELDS THAT ARE EXTENDED OVER MULTIPLE LINES

 Fixes are available

4.0.7: WebSphere Application Server Version 4.0 Fix Pack 7
PQ86603: IBM HTTP Server V2.0.x mod_alias/mod_rewrite conflict with V5.0 plug-in
4.0.2-4.0.7: Plug-in component cumulative fix
5.0.2.7: WebSphere Application Server Express 5.0.2 Cumulative Fix 7
5.0.2.12: WebSphere Application Server 5.0.2 Cumulative Fix 12
5.0.2.13: WebSphere Application Server 5.0.2 Cumulative Fix 13
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for AIX
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for Solaris
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for HP-UX
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for Windows
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for Linux
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for Windows
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for Solaris
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for AIX
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for Linux
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for HP-UX
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for HP-UX
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for AIX
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for Solaris
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for Windows
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for Linux
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for AIX
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for HP-UX
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for Linux
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for Windows
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for Solaris
5.0.2.8: WebSphere Application Server V5.0.2 Cumulative Fix 8
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for HP-UX
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for AIX
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for Solaris
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for Windows
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for Linux
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for Windows
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for Solaris
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for HP-UX
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for Linux
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for AIX



APAR status
Closed as program error.

Error description
HTTP/1.0 RFC1945 says:

http://www.w3.org/Protocols/rfc1945/rfc1945
Header fields can be extended over multiple lines by preceding
each extra line with at least one SP or HT, though this is not
recommended.
HTTP-header    = field-name ":" [ field-value ] CRLF
field-name     = token
field-value    = *( field-content | LWS )
field-content  = <the OCTETs making up the field-value
                 and consisting of either *TEXT or combinations
                 of token, tspecials, and quoted-string>
.
Customer provided a testcase with multiline headers on response.
Here are my findings:
a) Web Container seems to handle multiline http headers properly
   (bypassing plugin customer's testcase worked)
b) WebSphere Plug-in experiences a problem with handling
    multiline headers
.
In Plugin trace I can see:
TRACE: lib_htresponse: htresponseRead: Reading the response:
TRACE:    HTTP/1.1 200 OK
TRACE:    Server: WebSphere Application Server/4.0
TRACE:    Content-Type: text/html
TRACE:    X-Some-Header: very
TRACE:     simple
TRACE: lib_htresponse: htresponseSetError: Setting the error |3|
ERROR: ws_common: websphereExecute: Failed to read from a new
       stream; App Server may have gone down during read


Here are my comments & questions:
How does WAS 4.0 & 5.0 plugin handle internally parameters that
are equivalent to these directives in IHS/Apache 2.0 ?
.
LimitRequestFields
LimitRequestFieldSize
LimitRequestLine
.

Do we handle a scenario when the plugin receives a multiline
http request/response that is split into extremely many lines,
such as 5 000 ?  If we do not limit it internally, is the
limitation set by LimitRequestFieldSize parameter in IHS ?
.
In WebSphere 5.0.x will be supported internal HTTP transport
for a production (for WAS 4.0 only standalone webserver was
supported for a production).  Do or will we have in  WAS 5.0
WebContainer these parameters that are configurable:
.
LimitRequestBody
LimitXMLRequestBody
LimitRequestFields
LimitRequestFieldSize
LimitRequestLine
Local fix
None or not using http requests with multiline headers at all.
It does not prevent an attacker in sending this type of requests
to the WebSphere plugin resulting that plugin will mark the
AppServer down.
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users of        *
*                 multi-line response headers.                 *
****************************************************************
* PROBLEM DESCRIPTION: The WebSphere plugins did not support a *
*                      multi-line response header.             *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The WebSphere plugins returned an INVALID_FORMAT error when the
response header from the backend server was folded in to
multiple lines.
Problem conclusion
Added support to handle multi-line response headers from a
backend server.
Temporary fix Comments
APAR information
APAR number PQ75936
Reported component name WEBSPHERE AE AI
Reported component ID 5630A2200
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2003-07-02
Closed date 2003-07-31
Last modified date 2003-07-31

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
Plugin          

SRLS

Fix information

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ75936
IBM Group: Software Group
Modified date: Jul 31, 2003