[Bro] http-protocol.pac parsing error on HTTP 1.1 folded headers

Kelvin Edmison kelvin at projectrialto.com
Fri Feb 8 12:14:41 PST 2008

I've found an interesting binpac parse error when parsing http headers
from www.golfsmith.com using http-protocol.pac.  The problem is that the
golfsmith server is replying with a header that http-protocol.pac is
interpreting as corrupt.
Here's an example of the golfsmith.com headers
HTTP/1.1 200 OK
Date: Fri, 01 Feb 2008 17:10:30 GMT
Server: Apache/2.2.6 (Unix) mod_ssl/2.2.6 
 DAV/2 PHP/5.2.5
X-Powered-By: PHP/5.2.5
Content-Type: text/html
Note the line DAV/2 that is started with a space.  That's where the
parsing error occurs.  However, it seems like this may actually be legal
according to the standards.  
RFC2616 section 2.2 indicates that 
"HTTP/1.1 header field values can be folded onto multiple lines if the
continuation line begins with a space or horizontal tab. All linear
white space, including folding, has the same semantics as SP. A
recipient MAY replace any linear white space with a single SP before
interpreting the field value or forwarding the message downstream."
According to this section, the www.golfsmith.com header "Server:" is
broken across the two lines, and it's value is actually "Apache/2.2.6
(Unix) mod_ssl/2.2.6<LF><SP>DAV/2 PHP/5.2.5"
Does anyone have ideas on how http-protocol.pac should be modified to
handle this situation?
  Kelvin Edmison
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080208/29a529fe/attachment.html 

More information about the Bro mailing list