Comments (2)
Vegur does not "parse" the method past looking for delimiters. It will use any characters accepted in there and pass them through to another server as-is.
The RFC7230 spec allows the following (https://tools.ietf.org/html/rfc7230#section-3.2.6 and https://tools.ietf.org/html/rfc5234#appendix-B.1):
Most HTTP header field values are defined using common syntax
components (token, quoted-string, and comment) separated by
whitespace or specific delimiting characters. Delimiters are chosen
from the set of US-ASCII visual characters not allowed in a token
(DQUOTE and "(),/:;<=>?@[\]{}").
token = 1*tchar
tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*"
/ "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
/ DIGIT / ALPHA
; any VCHAR, except delimiters
DIGIT = %x30-39 ; 0-9
ALPHA = %x41-5A / %x61-7A ; A-Z / a-z
VCHAR = %x21-7E ; visible (printing) characters
Strictly speaking, it seems like the proxy itself allows a broader set of characters as what would otherwise be accepted in the strictest of server. That being said, there is no way to wedge an HTTP request in there that would be a risk of injection or most security threats I know on (the delimiter would be hit early if not the line length limit), and the proxy is written in a memory-safe language that wouldn't be at risk of any sort of exploit issues related to this behaviour.
The only practical issues are possibly related to compatibility across servers, and the end-behaviour observed otherwise (i.e. the 200 OK you get) are the result of the server on the back-end behind Heroku's proxy responding to the original query, Apache in this case.
NOTE: I do not work for Heroku (Salesforce). I was one of the developers on this application years ago but do not speak for the company in any function whatsoever.
from vegur.
Thank you that's everything i needed to hear. 👍🏻
from vegur.
Related Issues (20)
- Reduce custom cowboy code dependencies HOT 3
- Detect Early Responses While Streaming Uploads HOT 1
- Open Sourcing checklist HOT 1
- The Via header isn't added on error pages HOT 2
- vegur_roundtrip_SUITE:large_chunked_request_response_interrupt has non-deterministic failures HOT 5
- Checkin callback has status 'connected' even if it never connected HOT 2
- Update vendored version of rebar3
- Document supported Erlang versions HOT 1
- Unused variable warnings in test/vegur_websockets_backend.erl
- "Warning: erlang:now/0: Deprecated BIF" in vegur_req_log_SUITE.erl and bench.erl
- Intermittent Travis failures in vegur_proxy_SUITE:request_keepalive_statistics
- Multiple test failures on Windows
- Server examples in README use zsh-specific syntax not compatible with bash
- Proxying to HTTPS backend HOT 3
- Bi-directional streaming? HOT 3
- Feature request: HTTP/2 support
- Streaming request / response server is unfairly penalised? HOT 16
- How to not expose `via` in header ? HOT 4
- Long dead but still used in production? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vegur.