ESP32 Forum

I am using a device (a Geiger counter), which uses an ESP8266 for WiFi, acting as a client. Unfortunately, this device sends the GET request to the server with a CR termination, while it should use CRLF.

Apache sees this as a security risk, and rejects the request with "400 Bad Request" and logs it as "malformed request line" (https://httpd.apache.org/security/vul..., scroll to "important: Apache HTTP Request Parsing Whitespace Defects (CVE-2016-8743)"). More discussion here: https://ask.wireshark.org/question/2431 ... d-request/

The AT command `<AT+GMR>` gives: `AT+GMR\r\r\nAT version:1.2.0.0(Jul 1 2016 20:04:45)\r\nSDK version:1.5.4.1 (39cb9a32) ... `. This seems to be pretty old, but, unfortunately, even if a newer one were available which delivers properly formed request lines, I can't use it, as the firmware is closed source.

I can, however, use AT commands on the device, and so I am wondering whether there is any way to modify how such request lines are formed using AT commands?

The above link to the Apache security issue is broken. Here is the proper one:
https://httpd.apache.org/security/vulne ... es_24.html

By the way: the Apache fix of this security issue was released in Dec 2016, so it came after the release of this AP version. Does anyone know whether later ESP-AT releases fixed this problem as well, or does it still exist in the code?

I'm a little confused..I thought the HTTP was added to AT since 2020? https://github.com/espressif/esp-at/rel ... .0_esp8266

The ESP-AT was able to do http calls since 2016 at the latest. Albeit with that request, which is considered "malformed" since Dec 2106 at the latest.

AT version:1.2. 0.0 is too old!

Here I recommend that you use the latest AT version v2.2.1.0 for ESP8266 series. You can download firmware from https://github.com/espressif/esp-at/rel ... .0_esp8266.