Nginx does not allow multiple lines in a header value?


#1

hey folks,

I ran into a funny issue with nginx when working on accepting oauth
calls.
Nginx is stripping the authorization header out if the field value
contains
newlines. Http 1.1 guidelines state that this is valid:

to recreate, do the following:

  • add $http_authorization to your nginx ‘log_format main’ clause so you
    can
    see what is happening (or print out the headers from wherever nginx
    proxies
    the call to)

  • run a curl command like this against your nginx server:
    curl -d ‘’ -H ‘Authorization: OAuth realm="",
    oauth_signature_method=“HMAC-SHA1”,
    oauth_signature=“RmNuGxdkf6EaU%2Fy4PXgHj07aA3I%3D”,
    oauth_nonce=“49a19e21eebf0”,
    oauth_timestamp=“1235328545”,
    oauth_token=“some_token”,
    oauth_consumer_key=“consumer_key”,
    oauth_version=“1.0”’ http://your.server.com

  • you’ll see the header value terminated after the first ‘OAuth
    realm="",’

  • try the same curl command but remove the return characters, and it
    will
    work

the same behavior occurs when I strip out all proxy, compression, and
ssl
and try to leave a very basic config file. here is some information
about
nginx:

nginx -V

nginx version: nginx/0.6.34
built by gcc 4.2.4 (Ubuntu 4.2.4-1ubuntu3)
configure arguments: --sbin-path=/usr/sbin
–conf-path=/etc/nginx/nginx.conf
–pid-path=/var/run/nginx.pid --with-http_ssl_module
–with-http_stub_status_module
–add-module=/tmp/src/nginx/modules/nginx-upstream-fair

I’m a bit surprised that I’m seeing this and while I’m starting to
suspect
nginx I’m sure it is possible that I’m missing something. If this is a
valid bug, let me know what you would like in terms of additional
documentation, examples, etc.

thank you!
Adam