W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2007

Message delimiting security issues

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Wed, 17 Jan 2007 11:47:33 +0100
To: "William A. Rowe, Jr." <wrowe@rowe-clan.net>
Cc: Mark Nottingham <mnot@mnot.net>, Scott Lawrence <scott@skrb.org>, "Roy T.Fielding" <fielding@gbiv.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <1169030853.12807.60.camel@henriknordstrom.net>
tis 2007-01-16 klockan 20:47 -0600 skrev William A. Rowe, Jr.:

> Security issues are caused by implementors.  Please reread the Watchfire
> report carefully to observe all the ways an implementor can do so.

The reports covers many possible permutations, but is not an
authoritative reference on what is or is not allowed by the specs. Some
of the constructs used is clearly invalid, most simply dubious
exploiting the fact that the specs is not clear.

Header names and implied LWS:
[I30] http://www.w3.org/Protocols/HTTP/1.1/rfc2616bis/issues/#i30

Does the implied LWS rule apply to header names, even if it's not
allowed in MIME? Allowing LWS around the header name does not make
sense, but it is not explicitly forbidden.

I.e. is

Content-Length : 100

or if you like (equivalent)


valid HTTP headers, even if they are not valid MIME headers?

Double CR and end of headers:
[partly covered by I30]

Also is

a blank header terminating the headers, or is it a invalid header line
consisting of a single <CR>?  Well, this one is clear (it's a <CR> line,
not blank), but unfortunately 19.3 encourages ignoring <CR> which easily
leads to implementations getting this wrong.

[no issue assigned]

And how SHOULD a recipient react if there is multiple Content-Length

These aspects is critical for defining the message delimiting within the
protocol, and still the specs is quite silent on the details which calls
for the kind of interoperability problems shown in the report.


Received on Wednesday, 17 January 2007 10:47:45 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 1 October 2015 05:36:21 UTC