Git Product home page Git Product logo

Comments (2)

ferd avatar ferd commented on June 3, 2024 1

Vegur does not "parse" the method past looking for delimiters. It will use any characters accepted in there and pass them through to another server as-is.

The RFC7230 spec allows the following (https://tools.ietf.org/html/rfc7230#section-3.2.6 and https://tools.ietf.org/html/rfc5234#appendix-B.1):

   Most HTTP header field values are defined using common syntax
   components (token, quoted-string, and comment) separated by
   whitespace or specific delimiting characters.  Delimiters are chosen
   from the set of US-ASCII visual characters not allowed in a token
   (DQUOTE and "(),/:;<=>?@[\]{}").

     token          = 1*tchar

     tchar          = "!" / "#" / "$" / "%" / "&" / "'" / "*"
                    / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
                    / DIGIT / ALPHA
                    ; any VCHAR, except delimiters

      DIGIT          =  %x30-39             ; 0-9
      ALPHA          =  %x41-5A / %x61-7A   ; A-Z / a-z
      VCHAR          =  %x21-7E             ; visible (printing) characters

Strictly speaking, it seems like the proxy itself allows a broader set of characters as what would otherwise be accepted in the strictest of server. That being said, there is no way to wedge an HTTP request in there that would be a risk of injection or most security threats I know on (the delimiter would be hit early if not the line length limit), and the proxy is written in a memory-safe language that wouldn't be at risk of any sort of exploit issues related to this behaviour.

The only practical issues are possibly related to compatibility across servers, and the end-behaviour observed otherwise (i.e. the 200 OK you get) are the result of the server on the back-end behind Heroku's proxy responding to the original query, Apache in this case.

NOTE: I do not work for Heroku (Salesforce). I was one of the developers on this application years ago but do not speak for the company in any function whatsoever.

from vegur.

geeknik avatar geeknik commented on June 3, 2024

Thank you that's everything i needed to hear. 👍🏻

from vegur.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.