id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc,uname,nginx_version 1014,RFC 7230 Compliance: Err 400 on space+colon for header field separator,regilero,,"https://tools.ietf.org/html/rfc7230#section-3.2.4 > No whitespace is allowed between the header field-name and colon. In > the past, differences in the handling of such whitespace have led to > security vulnerabilities in request routing and response handling. A > server MUST reject any received request message that contains > whitespace between a header field-name and colon with a response code > of 400 (Bad Request). A proxy MUST remove any such whitespace from a > response message before forwarding the message downstream. Currently, sending such header, like: {{{ Dummy : header ^ bad space }}} Nginx is not generating an err400. Nginx as a '''safe behavior''': - ignore the header value - does not transmit it when used as a reverse proxy But that's not the official way: (...) A server '''MUST''' reject any received request message(...) Easy test: {{{ # valid range header printf 'GET / HTTP/1.1\r\n'\ 'Host: nginx.org\r\n'\ 'range: bytes=2-4\r\n''\r\n' | nc -q 3 95.211.80.227 80 # => 206 partial content # invalid range header printf 'GET / HTTP/1.1\r\n'\ 'Host: nginx.org\r\n'\ 'range : bytes=2-4\r\n''\r\n' | nc -q 3 95.211.80.227 80 # => 200 full response instead of 400 }}} ",enhancement,closed,minor,,other,1.11.x,fixed,,,,1.11.1