W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2004

Re: Bad header syntax -- is this par for the course?

From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Wed, 23 Jun 2004 08:43:13 -0600 (MDT)
To: Jamie Lokier <jamie@shareable.org>
Cc: ietf-http-wg@w3.org
Message-ID: <Pine.BSF.4.58.0406230830290.98621@measurement-factory.com>

On Wed, 23 Jun 2004, Jamie Lokier wrote:

> Is this sort of thing commonplace?

Common or not, it does happen. When a proxy writer/administrator is
faced with the "but it works without a proxy!" or "but it works
through XYZ proxy!" pressure, there is little she can do about them,
given our overall "garbage in, compliance out" culture.

> I was rather hoping to write a proxy that could at least assume the
> basic lexical syntax of HTTP/1.0 and /1.1 -- so as not to forward
> invalid syntax, which is a security hole -- but it appears not.

A common approach is to switch to a tunnel mode for the transaction in
question and terminate the connection as soon as possible. This
approach follows the "first, do no harm" principle for intermediaries.
As any approach within the current IT culture, it may have negative
security implications.

> Is there a well known of server/proxy bugs, and the workarounds needed
> by a robust client/proxy in the real world, so I don't have to repeat
> the research people have done before?
>
> (There's a fairly good list of known client bugs at apache.org, but
> they don't document server/proxy bugs).

Oh, they do, but in a different place: Apache bugzilla database :-).

Alex.
Received on Wednesday, 23 June 2004 10:43:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:31 GMT