"Bad Request - Invalid Header" with some redirection URLs

Everything about using the stand-alone Adblock Plus app on Android

"Bad Request - Invalid Header" with some redirection URLs

Postby enzom » Mon Nov 23, 2015 9:21 am

Some URLs such as:

http://click.email.ft.com/?qs=3ab2dcaee14c753d45f5f5ce91eda0d977df215b6dbc6d931e7b5991168f64b6c9d99d46fa7cfaa8

...result in the following error:

Bad Request - Invalid Header
HTTP Error 400. The request has an invalid header name


This happens with Adblock Plus Version 1.3 build# 359 on a Galaxy S5 Duos under Android 4.4.2; SM-G900FD Build/KOT49H, with both Chrome 46.0.2490.76 and the stock browser called "Internet".

The error condition persists even after disabling the filtering.
enzom
 
Posts: 5
Joined: Mon Nov 23, 2015 8:50 am

Re: "Bad Request - Invalid Header" with some redirection URLs

Postby rach » Mon Dec 07, 2015 6:19 pm

Hey enzom!

I have tried to test out the link you send, but I do not get that error? Could you possibly try it again? Perhaps it was a temporary error.

Let us know if you still have any trouble with accessing it.

All the best,
rach
ABP Community Manager
 
Posts: 310
Joined: Tue Nov 17, 2015 11:05 am

Re: "Bad Request - Invalid Header" with some redirection URLs

Postby enzom » Tue Dec 08, 2015 2:13 pm

rach wrote:Hey enzom!

I have tried to test out the link you send, but I do not get that error? Could you possibly try it again? Perhaps it was a temporary error.

Let us know if you still have any trouble with accessing it.

All the best,


No, the bug is still there, and I think I've found the cause. I captured the packets sent by the proxy to the web server (using TCPdump on the router) and it turns out that that the HTTP request contains a very long cookie (which your browser doesn't send because you are not logged on the FT.com website...); apparently, AdBlock Plus inserts a CRLF after the first KB of the "Cookie": header. It also chops 57 bytes off the end of the second piece:

Original cookie header:
Code: Select all
Cookie: SIVISITOR=MS41MjAuODY4NTc5MzkxMzkwMS4xNDQyNDQ5MzMzNTIyLjU3ZmZlNjIy*; FTUserTrack=218.103.207.18.1442449334781019; __gads=ID=2343ada717035b3c:T=1442537980:S=ALNI_MY6PZ39CYb0yZcsb10CwFzEHYyHXg; FTSession=09eB-sSOyE5K04jKlO9mpX5yzwAAAVCX9I8Cww.MEUCIQCKikfbv66YBD1CzewDi8OnGdcQ7VsZ92NxxK-J_5cOnwIgCuccZYq418XT8p6H6Lo_qRoWYnW3wu4DnTHcOckpmvg; FT_Remember=3474851:TK7289857574893577512:FNAME=MICHELANGELI:LNAME=ENZO:EMAIL=enzomich@gmail.com; anon-opt-in=true; mm_ijento_sent=VC66VideoWidgetCopy%7CVC79HideRegisterLink%7CVC92BarrierOfferSegmenting%7CT18_MobOverlayDesign%7C; __utma=138983524.1213373358.1442449348.1447471368.1449199838.3; __utmz=138983524.1449199838.3.3.utmcsr=m.ft.com|utmccn=(referral)|utmcmd=referral|utmcct=/2015/12/03/2146593/enroll-now-a-crisis-teach-in-with-tim-geithner; FT_P=exp=1449542323214&prod=71|72|74; FT_U=_EID=3474851_PID=4003474851_TIME=%5BTue%2C+08-Dec-2015+02%3A08%3A43+GMT%5D_SKEY=1Q73r7pNzYBIEU02HDu5nw%3D%3D_; FT_User=USERID=4003474851:EMAIL=enzomich@gmail.com:FNAME=MICHELANGELI:LNAME=ENZO:TIME=%5BTue%2C+08-Dec-2015+02%3A08%3A43+GMT%5D:USERNAME=enzomich@gmail.com:REMEMBER=_REMEMBER_:ERIGHTSID=3474851:PRODUCTS=_Tools_P0_P2_:RESOURCES=_lex_immediatepremium_printedn_portfolio_ePaper_clipthis_nbe_extelapp_referrer check_ftnipa_tools_ftalert_fastft_fttools_pagepremium_mobilegold_hybrid_third-party-blogs_ftnipa_countedcount_Premium Benefits_:GROUPS=_B2CMigrated_Order Management_Migration Completed_Asia_:X=MC0CFCWp6HNhD%2FVuFNn%2FZAZP%2Fn0fxFMkAhUAjnwiF8uyDiVWZGfuaPUr%2B%2FKYIUU%3D; mmcore.tst=0.791; mm_pc=Discount%3DNo%26MarketoEmail%3DNoMarketoEmail%26B2BorB2C%3DB2C; cookieconsent=seen; mmid=2118282253%7CRAAAAAo6+jK0bQwAAA%3D%3D; mmcore.pd=2118282253%7CRAAAAAo6+jK0bQwAAA%3D%3D; mmcore.srv=lvsvwcgeu03; FT_M=D=M|F=|R=0; FT_SITE=NEXT; FTAllocation=d781fac4-8ec8-4e4a-88ca-94ef66a57e72; h2_spd=5000; h2_isEnabled=true; h2_rtt=105; AYSC=_01_02X_04PVT_05ITT_06TEC_07OP_12_13HKG_14HKG_15HK_17PVT_18PVT_19xxxx_20x_22ToolsP0P2_24PVT_25PVT_26PVT_27PVT_40_41_42_45_47ABW01_53_96PVT_97_98PVT_; AYSC_C=S; spoor-id=1f070c28-38a1-41b3-bca3-fb5f4d5d232d


Cookie header produced by the AdBlock Plus proxy (split into two lines by the spurious CRLF after 1024 bytes):
Code: Select all
Cookie: SIVISITOR=MS41MjAuODY4NTc5MzkxMzkwMS4xNDQyNDQ5MzMzNTIyLjU3ZmZlNjIy*; FTUserTrack=218.103.207.18.1442449334781019; __gads=ID=2343ada717035b3c:T=1442537980:S=ALNI_MY6PZ39CYb0yZcsb10CwFzEHYyHXg; FTSession=09eB-sSOyE5K04jKlO9mpX5yzwAAAVCX9I8Cww.MEUCIQCKikfbv66YBD1CzewDi8OnGdcQ7VsZ92NxxK-J_5cOnwIgCuccZYq418XT8p6H6Lo_qRoWYnW3wu4DnTHcOckpmvg; FT_Remember=3474851:TK7289857574893577512:FNAME=MICHELANGELI:LNAME=ENZO:EMAIL=enzomich@gmail.com; anon-opt-in=true; mm_ijento_sent=VC66VideoWidgetCopy%7CVC79HideRegisterLink%7CVC92BarrierOfferSegmenting%7CT18_MobOverlayDesign%7C; __utma=138983524.1213373358.1442449348.1447471368.1449199838.3; __utmz=138983524.1449199838.3.3.utmcsr=m.ft.com|utmccn=(referral)|utmcmd=referral|utmcct=/2015/12/03/2146593/enroll-now-a-crisis-teach-in-with-tim-geithner; FT_P=exp=1449542323214&prod=71|72|74; FT_U=_EID=3474851_PID=4003474851_TIME=%5BTue%2C+08-Dec-2015+02%3A08%3A43+GMT%5D_SKEY=1Q73r7pNzYBIEU02HDu5nw%3D%3D_; FT_User=USERID=4003474851:EMAIL=enzomich@gmail.com:FNAME=MICHELANGELI:LNA

Code: Select all
ME=ENZO: TIME=%5BTue%2C+08-Dec-2015+02%3A08%3A43+GMT%5D:USERNAME=enzomich@gmail.com:REMEMBER=_REMEMBER_:ERIGHTSID=3474851:PRODUCTS=_Tools_P0_P2_:RESOURCES=_lex_immediatepremium_printedn_portfolio_ePaper_clipthis_nbe_extelapp_referrer check_ftnipa_tools_ftalert_fastft_fttools_pagepremium_mobilegold_hybrid_third-party-blogs_ftnipa_countedcount_Premium Benefits_:GROUPS=_B2CMigrated_Order Management_Migration Completed_Asia_:X=MC0CFCWp6HNhD%2FVuFNn%2FZAZP%2Fn0fxFMkAhUAjnwiF8uyDiVWZGfuaPUr%2B%2FKYIUU%3D; mmcore.tst=0.791; mm_pc=Discount%3DNo%26MarketoEmail%3DNoMarketoEmail%26B2BorB2C%3DB2C; cookieconsent=seen; mmid=2118282253%7CRAAAAAo6+jK0bQwAAA%3D%3D; mmcore.pd=2118282253%7CRAAAAAo6+jK0bQwAAA%3D%3D; mmcore.srv=lvsvwcgeu03; FT_M=D=M|F=|R=0; FT_SITE=NEXT; FTAllocation=d781fac4-8ec8-4e4a-88ca-94ef66a57e72; spoor-id=1f070c28-38a1-41b3-bca3-fb5f4d5d232d; AYSC=_01_02X_04PVT_05ITT_06TEC_07OP_12_13HKG_14HKG_15HK_17PVT_18PVT_19xxxx_20x_22ToolsP0P2_24PVT_25PVT_26PVT_27PVT_40_41_42_45_47ABW01_53_96PVT_97_98PVT_


Considering that there are no specific limits to the size of a cookie (other than no more than 4096 bytes should be occupied by all cookies) please enlarge the buffer used for the headers to at least 4096 + 10 = 4106 bytes (the 8 are for the string "Cookie: " at the start and the CRLF at the end).

Best regards,

Enzo
enzom
 
Posts: 5
Joined: Mon Nov 23, 2015 8:50 am

Re: "Bad Request - Invalid Header" with some redirection URLs

Postby enzom » Sat Dec 12, 2015 3:40 pm

...and I suspect that at list one of the places where 1024 has to be changed into 4106 is src/sunlabs/brazil/util/http/MimeHeaders.java :

Code: Select all
public class MimeHeaders
    extends StringMap
{
    /*
     * Place arbitrary limits on header size to mitigate DOS attacts.
     */

    public static final int MAX_LINE=1024;
    public static final int MAX_LINES=1024;

    /**
     * Creates a new, empty <code>MimeHeaders</code> object.
     */
    public
    MimeHeaders()
    [...]
enzom
 
Posts: 5
Joined: Mon Nov 23, 2015 8:50 am

Re: "Bad Request - Invalid Header" with some redirection URLs

Postby mapx » Sat Dec 12, 2015 3:58 pm

enzo,

you should file an issue on the bug traker with all these details you exposed above
https://issues.adblockplus.org
User avatar
mapx
 
Posts: 21947
Joined: Thu Jan 06, 2011 3:01 pm


Return to Adblock Plus for Android support

Who is online

Users browsing this forum: No registered users and 7 guests