[openstack-dev] [glance] HTTP Header encoding policy

Zane Bitter zbitter at redhat.com
Fri Jan 25 20:32:25 UTC 2013

I've been looking into the way the Glance v1 API handles HTTP headers, 
in particular the x-image-meta-name header, which contains user-supplied 
data. There seems to be a lot of inconsistency. As near as I can tell:

* In python-glanceclient
  - The name is encoded as ASCII (by calling str())[1]
  - non-ASCII characters in the name cause a crash
  - characters that are illegal in a header token are not quoted

* Received headers in Glance
  - Are not decoded in any way, just treated as valid ASCII text[2]

* Sent (echoed) headers in Glance
  - Are encoded as UTF-8 [3]
  - characters that are illegal in a header token are not quoted

For reference the format of this header field contents is defined in 
section 4.2 of RFC 2616 [4]:

        field-content  = <the OCTETs making up the field-value
                         and consisting of either *TEXT or combinations
                         of token, separators, and quoted-string>

...which must be further interpreted using section 2.2 [5]:

   The TEXT rule is only used for descriptive field contents and values
   that are not intended to be interpreted by the message parser. Words
   of *TEXT MAY contain characters from character sets other than
   ISO-8859-1 only when encoded according to the rules of RFC 2047.

        TEXT           = <any OCTET except CTLs,
                         but including LWS>

... all of which appears to mean that the correct encoding is iso-8859-1 
(which covers many western European languages, but obviously not 
Cyrillic scripts, CJKV &c.), with anything beyond that encoded using the 
(hideous) MIME header encoding rules[6].

Before I start raising bugs, do we have any policy on what values should 
be allowed and how they should be encoded? The API docs[7] are silent on 
the matter. Is changing the API in this respect even an option at this 
point in time?


[4] http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
[5] http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2
[6] http://www.ietf.org/rfc/rfc2047.txt
[7] http://docs.openstack.org/developer/glance/glanceapi.html

More information about the OpenStack-dev mailing list