[En-Nut-Discussion] Failed HTTP request

Harald Kipp harald.kipp at egnite.de
Wed Apr 20 16:56:31 CEST 2011

Hi all,

using Mozilla 3.6.16 to request pages from nut/httpd sample fails here, 
when trying to access any of the protected CGI pages. It looks like 
Nut/OS 4.9.10 ignores the authorization header. I'm sure that this 
applies to all previous versions as well.

A trace of incoming traffic shows, that the last detected header line was

  Accept-Language: en-US,en,de-DE,de;q=0.9,en-....

The line is exactly 511 bytes(!) long, including the trailing LF-CR. The 
default max. line size in the HTTP API is 256, specified by 
HTTP_MAX_REQUEST_SIZE. However, fgets() will read one less, see


After 2 reads the line-feed character will be left in the buffer. Thus, 
the third read will look like an empty line, which is interpreted as the 
end of the header. The following header lines, specifically

  Authorization: Basic cm9vdDpyb290

are ignored.

Increasing the Max. Request Line Size in the Configurator fixes the 
problem. This parameter is found at

  Network (application layer) -> HTTP Server API

Well, I do not like this solution. There seems to be no limit defined in 
the specs. Apache, for example, excepts up to 8 kBytes.

With a careful web layout I should be able to decrease the input buffer 
even below the default, saving some valuable RAM. Remember, that this 
buffer will be created for each concurrent connection. I wouldn't care 
about ignoring those long lines I'm not interested in anyway.

Did anybody look into this? The bug tracker at sourceforge doesn't show 
any related issue and I couldn't find anything in this list's archive.



More information about the En-Nut-Discussion mailing list