IBM i HTTP Server Now Performs Strict Checking of Request Headers Per RFC7230

Content

IBM recently released the following IBM HTTP Group PTF levels:

IBM i 7.3
SF99722 level 7

IBM i 7.2
SF99713 level 20

IBM i 7.1
SF99368 level 46

At these levels of the HTTP Group PTF, IBM has included PTFs (V7R1:SI63670 V7R2:SI64140 V7R3:SI63997) to resolve CVE-2016-8743 described at Apache.org: http://httpd.apache.org/security/vulnerabilities_24.html. You can learn more information about IBM's Security Bulletin on this CVE here.

After the PTFs are applied, the IBM HTTP Server LPP now strictly checks the HTTP request headers by following https://tools.ietf.org/html/rfc7230. If there are any extra or invalid whitespaces, horizon tabs, empty field values, etc. that exist in the request line or header field, a "HTTP 400 - Bad Request" response will be returned to client. Previously you may have gotten a "HTTP 200 OK" response with those same HTTP request headers.

If you discover your HTTP requests now see a "HTTP 400 - Bad Request" error returned after installing the latest IBM i HTTP group, it is very likely there are some problems in one or more of your HTTP request headers. To work around the issue, the HTTP directive, HttpProtocolOptions Unsafe, can be included in the HTTP Server's /www/<server>/conf/httpd.conf file to disable the strict HTTP request header checking and see if the same HTTP request now returns successfully. If the "HttpProtocolOptions Unsafe" directive resolves the "HTTP 400 - Bad Request" error, then the HTTP request header values should be examined and fixed. As stated previously, HTTP request headers should not contain any extra or invalid whitespaces, horizon tabs, empty field values, etc.

More information about the new HTTP directive, HttpProtocolOptions Unsafe, can be found here: http://httpd.apache.org/docs/2.4/mod/core.html#httpprotocoloptions