tis 2007-01-16 klockan 20:47 -0600 skrev William A. Rowe, Jr.: > Security issues are caused by implementors. Please reread the Watchfire > report carefully to observe all the ways an implementor can do so. The reports covers many possible permutations, but is not an authoritative reference on what is or is not allowed by the specs. Some of the constructs used is clearly invalid, most simply dubious exploiting the fact that the specs is not clear. Header names and implied LWS: [I30] http://www.w3.org/Protocols/HTTP/1.1/rfc2616bis/issues/#i30 Does the implied LWS rule apply to header names, even if it's not allowed in MIME? Allowing LWS around the header name does not make sense, but it is not explicitly forbidden. I.e. is Content-Length : 100 or if you like (equivalent) Content-Length :100 valid HTTP headers, even if they are not valid MIME headers? Double CR and end of headers: [partly covered by I30] Also is <CR><CR><NL> a blank header terminating the headers, or is it a invalid header line consisting of a single <CR>? Well, this one is clear (it's a <CR> line, not blank), but unfortunately 19.3 encourages ignoring <CR> which easily leads to implementations getting this wrong. [no issue assigned] And how SHOULD a recipient react if there is multiple Content-Length headers? These aspects is critical for defining the message delimiting within the protocol, and still the specs is quite silent on the details which calls for the kind of interoperability problems shown in the report. Regards Henrik
Received on Wednesday, 17 January 2007 10:47:45 UTC