HTTP/1.1: method names are case-sensitive

RFC 2616 states that method names are case sensitive, but the Squid
parser has been accepting them case-insensitive.

Enforce case-sensitive behaviour when performing strict HTTP parse.

NOTE: avoid HTTP_VIOLATIONS since there is no normative MUST/SHOULD
involved in the specification texts.

diff --git a/src/HttpRequestMethod.cc b/src/HttpRequestMethod.cc
index 4fe6fc960bcc0194c8ed20d3cbcb309da573df01..70376510fd61e9121dca447bea396b2fe3f82d8a 100644 (file)
--- a/src/HttpRequestMethod.cc
+++ b/src/HttpRequestMethod.cc
@@ -47,8 +47,16 @@ HttpRequestMethod::HttpRequestMethod(char const *begin, char const *end) : theMe
     }
 
     for (++theMethod; theMethod < Http::METHOD_ENUM_END; ++theMethod) {
+        // RFC 2616 section 5.1.1 - Method names are case-sensitive
+        // NP: this is not a HTTP_VIOLATIONS case since there is no MUST/SHOULD involved.
         if (0 == strncasecmp(begin, Http::MethodType_str[theMethod], end-begin)) {
-            return;
+
+            // relaxed parser allows mixed-case and corrects them on output
+            if (Config.onoff.relaxed_header_parser)
+                return;
+
+            if (0 == strncmp(begin, Http::MethodType_str[theMethod], end-begin))
+                return;
         }
     }