Henrik Nordstrom wrote: > On fre, 2008-11-14 at 22:27 +0000, Jamie Lokier wrote: > >> Henrik Nordstrom wrote: >> >>> On tor, 2008-11-13 at 18:06 -0800, Mark Nottingham wrote: >>> >>>> Yes; we looked at disallowing it, but implementations that support >>>> folding do already support whitespace-only lines. >>>> >>> Some. Many fail, misreading it as end-of-headers... >>> >> Last time I looked, I think Mozilla was in that category. >> > > Still? > > There was a security whitepaper on this some years ago which made a lot > of people jump.. (or actually two with about a year inbetween, one > looking at responses, one at requests) > > Yes, that was me ;-) 2004 - HTTP Response Splitting: http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf 2005 - HTTP Request Smuggling: http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdfReceived on Friday, 14 November 2008 22:55:05 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:38:34 GMT