On Saturday, January 26, 2013 at 12:57 PM, Diederik van Liere wrote:
Now there could be a tab in a header value as well but I have never seen it in our logfiles and i also grepped for it on a couple of random files and found no such occurrences. So we are not going to escape tab characters in fields unless new information changes our mind.
It would be nice the eliminate this worry categorically. I checked, and it appears that varnishncsa and varnishlog do not escape tabs.
How I tested:
varnishd -a :10200 -b 173.194.79.104 -F
This will start a varnish instance on port 10200 that uses Google as a back-end. Then:
varnishncsa
And in another shell:
curl -I --user-agent QQQQ$'\t'ZZZZ http://127.0.0.1:10200
(You can also add a tab to the command line by typing Ctrl-V + TAB.)
The output of varnishncsa is:
127.0.0.1 - - [26/Jan/2013:18:12:28 -0800] "HEAD http://127.0.0.1:10200/ HTTP/1.1" 200 0 "-" "QQQQ ZZZZ"
So the tab is not escaped.
According to RFC 2616 (see http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2), tabs are permitted in HTTP headers. In particular, a leading tab can be used to construct multi-line header strings. I have no idea how common this is (I suspect it's pretty rare), but who knows.
I don't think means you have to ditch tabs -- I doubt there's a problem-free delimiter. But you should write code and configure software with the expectation that literal tabs will be encountered so that you can deal with it gracefully.
-- Ori Livneh