Details
-
Suggestion
-
Resolution: Done
-
P4: Low
-
5.5.1
-
None
Description
ref https://bugreports.qt.io/browse/QTBUG-49659
PhantomJS, a headless browser, (http://phantomjs.org/) uses QT for networking. It is meant for automating web tasks, but unfortunatley this client has been used as a bot in DDoS-attacks too. And because QT uses an arbitrarty ordering of http header fields (for example, "host" is the last field, most browsers send this first), it's possible to identify the library/client, thus all applications that uses QT for networking that does requests against bot-protected sites (Incapsula, Cloudflare, etc) will deem http-requests as suspecious and may even be blocked.
RFC 7230 - Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing:
The order in which header fields with differing field names are received is not significant. However, it is good practice to send header fields that contain control data first, such as Host on requests and Date on responses, so that implementations can decide when not to handle a message as early as possible.
First order of business would be to bump the field "Host" to the top, but I would also suggest looking at the way modern browser sends (FireFox, Chrome) their headers and try to make QT send the headers in roughly the same order in order to make it harder for Incapsula to discriminate requests from QT.
File in question: qhttpnetworkconnection.cpp
void QHttpNetworkConnectionPrivate::prepareRequest(HttpMessagePair &messagePair)
Attachments
Issue Links
- relates to
-
-
- Closed
-
| For Gerrit Dashboard: QTBUG-51557 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 216980,2 | QNAM should prepend Host header to the header list instead of appending | 5.10 | qt/qtbase | Status: MERGED | +2 | 0 |