Open kenballus opened 6 months ago
IMHO it's not critical and from security perspective nothing bad should happen. According to a Postel Law we should accept this.
The potential security problem is that some reverse proxies treat \r\n:\r\n
as equivalent to \r\n\r\n
(i.e., the end-of-headers sequence), but forward it as-is. This allows for request smuggling when used with a server that allows empty header names, like uhttpd.
Other web servers (e.g. Nginx, Apache) don't allow empty header names, so clients don't produce them, so no compatibility is lost. The RFCs are pretty clear that header names must be nonempty.
Thank you for the explanation.
uhttpd accepts requests with empty header names. These are invalid according to the RFCs.
For example, uhttpd will accept the following request: