#123 HTTP/1.0 messages generated by virus-scan

[Anonymous]

icap-server version: 0.5.5
icap-modules version: 0.5.3

Hi,

I use c-icap and virus-scan module to scan my network traffic. When virus is detected I see bellow response from c-icap server:

HTTP/1.0 403 Forbidden
Server: C-ICAP
Connection: close
Content-Type: text/html
Content-Language: en
Via: ICAP/1.0 lynx-client0 (C-ICAP/0.5.5 Antivirus service )

1c3
<html>
 <head>
   <title>VIRUS FOUND</title>
</head>

<body>
<h1>VIRUS FOUND</h1>


You tried to upload/download a file that contains the virus:
   <b> Eicar-Test-Signature </b>
<br>
The Http location is:
<b>  172.16.0.2:8800/eicar.html </b>

<p>
  For more information contact your system administrator

<hr>
<p>
This message generated by C-ICAP service: <b> virus_scan </b>
<br>Antivirus engine: <b> clamav-01014/25581 </b>

</p>

</body>
</html>
..
0

The response header shows that this is an HTTP/1.0 message and we can see that the body is chunked. Howeve the chunked encoding was added in HTTP/1.1 which means that this message is incorrect.

Also the HTTP/1.0 is not mentioned anywhere in RFC 3507 - doesn't it mean that the ICAP server is not allowed to generate HTTP/1.0 messages?

If the two above statements are correct then maybe it would be possible to modify c-icap so it would return an HTTP/1.1 message when a virus is detected?

Thanks.

Milosz

[chtsanti]

This is not a c-icap bug. The c-icap produces a valid HTTP/1.0 message.

However there is not any reason for c-icap to sent back HTTP/1.0 messages. The only change which is required is to compute and add the Content-Length header with the HTTP message.