Issue Report: Apache SOAP Module doesn't work anymore with Apache 2.4.25


(Jochen Klein) #1

We have discovered a behaviour in RemObjects SDK Version 7.0.69.1081 that does not work anymore with newer Apache versions.

Problem description:

a few years ago we have developed an Apache SOAP WebService in Delphi, using TROSOAPMessage, with RemObjects SDK Version 7.0.69.1081.
At the time the WebService has been developed, the resulting ISAPI module was loaded into Apache Version 2.4.2 and worked fine.

But since an Apache update to Version 2.4.25 we get an Internal Server Error 500 at calling a function of the WebService, and the Apache error log entry reads “AH02428: Empty response header name, aborting request.”

We assume that this error is caused by RemObjects, that includes an “empty” header field in the response header, while a new Apache security fix - see https://httpd.apache.org/security/vulnerabilities_24.html#2.4.25 (CVE-2016-8743) - does not accept “empty” header fields anymore.

The response header, copied from WireShark TCP Stream, using the older Apache Version, reads
HTTP/1.1 200 OK
Date: Tue, 05 Sep 2017 12:59:07 GMT
Server: Apache/2.4.2 (Win32) OpenSSL/1.0.1c
:
Accept-Encoding: gzip, identity
Content-Length: 619
Content-Type: text/xml; charset=utf-8

Here you can see this no longer accepted empty header line (consisting of just a colon) within the response header.

We would like to know if this is a known problem resp if there is a newer version of RemObjects SDK that fixes it, or if there is any workaround for it.


(EvgenyK) #3

try to update uROWebBrokerServer.pas:

procedure TROWebBrokerServer.IntOnBeforeDispatch(Sender: TObject;
  Request: TWebRequest; Response: TWebResponse; var Handled: Boolean);
..
        else if lName = id_ContentType then
        else if lName <> '' then  // changed
          Response.CustomHeaders.Values[lName] := lvalue;

pls inform if this change works for you


(Jochen Klein) #6

Thank you for the suggested code. I have tried it, but it has not changed anything. And it could not because the condition

if lName <> '' then

is never reached because of the line

if lName = '' then Continue; 

a few lines above.


(EvgenyK) #7

can you see if Response.CustomHeaders in this method contains empty line and remove it?
it can be something like

for i := Response.CustomHeaders.Count-1 downto 0 do
  if Response.CustomHeaders[i] = '' then Response.CustomHeaders.Delete(i);
Handled := True; //present 

will it work?


(Jochen Klein) #8

Sorry for the late answer (there were other priorities in the meantime), and thanks for your suggested solution! It works fine if slightly changed:

  for i := Response.CustomHeaders.Count-1 downto 0 do
    if Trim(Response.CustomHeaders.Names[i]) = '' then Response.CustomHeaders.Delete(i);
  Handled := True;

Now I would like to know if it will be part of a future version of RemObjects SDK?


(RemObjects) #9

Thanks, logged as bugs://78717


(RemObjects) #10

bugs://78717 got closed with status fixed.


(EvgenyK) #11

it will be in next beta