[Bug 69732] New: Apache HTTP Server emits empty list elements in header fields — violates RFC 9110 §5.6.1.1

Wed, 02 Jul 2025 23:03:59 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=69732

            Bug ID: 69732
           Summary: Apache HTTP Server emits empty list elements in header
                    fields — violates RFC 9110 §5.6.1.1
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Documentation
          Assignee: docs@httpd.apache.org
          Reporter: z15543793...@163.com
  Target Milestone: ---

Dear Apache Team,

I would like to report a standards compliance issue in Apache HTTP Server
(httpd) related to the handling of list-valued header fields.

✅ Summary
Apache httpd can emit HTTP header fields that include empty list elements, such
as:

``` bash
Transfer-Encoding: ,chunked
Connection: ,keep-alive
```

This violates RFC 9110 §5.6.1.1, which states:

In any production that uses the list construct, a sender MUST NOT generate
empty list elements.

Such behavior is observable when CGI scripts or modules generate or merge
header fields containing leading/trailing commas or adjacent commas.

🔬 Reproduction Steps
Start an httpd instance with mod_cgi enabled.

Deploy the following CGI script at /usr/local/apache2/cgi-bin/bad_header.cgi:

```
#!/bin/bash
echo "Content-Type: text/plain"
echo "Transfer-Encoding: ,chunked"
echo
echo "body"
```

Send a request:

```
curl -v http://localhost:8080/cgi-bin/bad_header.cgi
```

Observe the response header:

```
Transfer-Encoding: ,chunked
```
This clearly violates the list ABNF in RFC 9110 §5.6.1.1:

```
1#element => element *( OWS "," OWS element )
```

Empty elements are not allowed in list syntax. Valid output would be:

```
Transfer-Encoding: chunked
```

⚙️ Root Cause
When using apr_table_mergen, empty strings may be merged into list-valued
headers.

The ap_h1_append_headers function emits the resulting values directly, without
filtering empty list elements.

No sanitization is applied for Transfer-Encoding, Connection, Upgrade, or
similar list-structured headers.

📌 Impact
RFC non-compliance (MUST-level violation).

Potential interoperability issues with strict clients, intermediaries, or
proxies.

Possible misinterpretation or parsing errors in downstream systems.

A malformed list header may affect protocol behavior or caching heuristics.

Best regards

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org
For additional commands, e-mail: docs-h...@httpd.apache.org

Reply via email to