W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2007

Re: Message delimiting security issues

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Wed, 17 Jan 2007 20:51:57 +0100
To: Travis Snoozy <ai2097@users.sourceforge.net>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <1169063517.12807.135.camel@henriknordstrom.net>
ons 2007-01-17 klockan 11:22 -0800 skrev Travis Snoozy:

> struck between what's secure and what's utilitarian. However, being _blatently_
> malformed (e.g., two of any field that's not a #list) is always grounds for
> immediate rejection. Fuzzy repair work, in this case, is a Very Bad Thing.

The issue being that most implementations won't check this unless it's
required. Simply chewing what they get. And depending on the
implementation this results in the implementation reading either the
first occurrence or the last of the headers.

Also with the extensibility of HTTP is hard to put as a general
requirement that recipients should check how many times a non-list
header is seen.

Regards
Henrik

Received on Wednesday, 17 January 2007 19:52:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:00 GMT