trafficserver icon indicating copy to clipboard operation
trafficserver copied to clipboard
verified publisher icon apache

`@` is incorrectly accepted within header names

Open kenballus opened this issue 10 months ago • 0 comments

RFC 9110 states that header names must consist only of tchars, which are defined as follows:

  tchar          = "!" / "#" / "$" / "%" / "&" / "'" / "*"
                 / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
                 / DIGIT / ALPHA
                 ; any VCHAR, except delimiters

@ is not in this list, but ATS accepts it within header names, as long as it is not the first character.

To test this, send ATS a request with @ in a header name, and observe that it forwards the invalid header without modification.

For example, sending the following request

GET / HTTP/1.1\r\n
Host: whatever\r\n
To@st: test\r\n
\r\n

elicits the following response:

GET / HTTP/1.1\r\n
Host: echo\r\n
To@st: test\r\n
Client-ip: 172.18.0.1\r\n
X-Forwarded-For: 172.18.0.1\r\n
Via: http/1.1 traffic_server[503cce9c-f4c1-4ee9-bd19-63c6ae774944] (ApacheTrafficServer/10.1.0)\r\n
\r\n

The correct behavior is to respond 400, since @ is not a valid character in this context.

kenballus avatar Mar 04 '25 20:03 kenballus