On Saturday, January 26, 2013 at 12:57 PM, Diederik van Liere wrote:
Now there could be a tab in a header value as well but
I have never seen it in our logfiles and i also grepped for it on a couple of random files
and found no such occurrences. So we are not going to escape tab characters in fields
unless new information changes our mind.
It would be nice the eliminate this worry categorically. I checked, and it appears that
varnishncsa and varnishlog do not escape tabs.
How I tested:
varnishd -a :10200 -b 126.96.36.199 -F
This will start a varnish instance on port 10200 that uses Google as a back-end. Then:
And in another shell:
curl -I --user-agent QQQQ$'\t'ZZZZ
(You can also add a tab to the command line by typing Ctrl-V + TAB.)
The output of varnishncsa is:
127.0.0.1 - - [26/Jan/2013:18:12:28 -0800] "HEAD http://127.0.0.1:10200/
HTTP/1.1" 200 0 "-" "QQQQ ZZZZ"
So the tab is not escaped.
According to RFC 2616 (see
<http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2>), tabs are permitted in
HTTP headers. In particular, a leading tab can be used to construct multi-line header
strings. I have no idea how common this is (I suspect it's pretty rare), but who
I don't think means you have to ditch tabs -- I doubt there's a problem-free
delimiter. But you should write code and configure software with the expectation that
literal tabs will be encountered so that you can deal with it gracefully.