Crash my webserver!

[Andrea Fontana]

On Saturday, 13 May 2023 at 22:25:28 UTC, Vladimir Panteleev 
wrote:
> On Saturday, 13 May 2023 at 11:32:39 UTC, Andrea Fontana wrote:
>> Do you mean as line separator in headers? I know some (old?) 
>> clients use it but I think HTTP protocol requires CRLF
>
> Ah, OK. I thought the specification allowed either.
>
>>> - Host header is mandatory, but not for nginx
>> Only for HTTP/1.1. It's not mandatory for HTTP/1.0, is it?
>
> I get a 400 with 1.0 too.
>
>>> - Raw UTF-8 gets mangled in URL and POST parameters, you 
>>> might be decoding those twice
>>
>> Interesting, could you please give me an example?
>
>     printf 'GET /?ппп=ĂÎȘȚ HTTP/1.0\r\nHost: 
> test.andreafontana.it\r\n\r\n' | nc -v test.andreafontana.it 
> 57123
>
> It returns mojibake. However, only for URL and form parameters.
>
> Normally these get percent-encoded by user-agents though.

Hmm I don't think you can use utf-8 encoding in your request. I 
think everything must be encoded as old US-ASCII.

How can I understand in advance what encoding you're using, 
otherwise? You could use utf-8 or big5 but I couldn't tell, or am 
I missing something?

Andrea