| Subject: | HTTP::Daemon message header restriction causes failure with Norton Internet Security |
The get_request() method of HTTP::Daemon (version 1.26) does not comply with the HTTP 1.1 spec regarding the field-name component of message headers. This is causing HTTP::Daemon to fail in environments running the Norton Internet Security firewall product.
Per the HTTP 1.1 spec (at ftp://ftp.isi.edu/in-notes/rfc2616.txt
<ftp://ftp.isi.edu/in-notes/rfc2616.txt> ):
message-header = field-name ":" [ field-value ]
field-name = token
The HTTP 1.1 spec further defines "token" to be:
token = 1*<any CHAR except CTLs or separators>
separators = "(" | ")" | "<" | ">" | "@"
| "," | ";" | ":" | "\" | <">
| "/" | "[" | "]" | "?" | "="
| "{" | "}" | SP | HT
CTL = <any US-ASCII control character
(octets 0 - 31) and DEL (127)>
SP = <US-ASCII SP, space (32)>
HT = <US-ASCII HT, horizontal-tab (9)>
However, HTTP::Daemon::get_request() restricts field-names to those that match the following regex:
/^([\w\-]+)\s*:\s*(.*)/
This causes HTTP::Daemon to improperly truncate posts from environments running the Norton Internet Security Firewall, which adds a header that looks something like: ~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
When HTTP::Daemon::get_request() encounters this header, it assumes that it should quit processing headers and begin processing the message body. This causes the remaining headers to be ignored.
The following regex fixes the problem and is in compliance with the HTTP 1.1 spec:
m/^([^\x00-\x1f\x7f()<>@,;:\\"\/[\]?={}\x20\x09]+)\s*:\s*(.*)/
Note that the inclusion of \s* before the : is actually in violation of the HTTP 1.1 spec, so to be in strict compliance it probably should be removed.