Re: Message delimiting security issues from Henrik Nordstrom on 2007-01-17 (ietf-http-wg@w3.org from January to March 2007)

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Wed, 17 Jan 2007 20:51:57 +0100
To: Travis Snoozy <ai2097@users.sourceforge.net>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <1169063517.12807.135.camel@henriknordstrom.net>

ons 2007-01-17 klockan 11:22 -0800 skrev Travis Snoozy:

> struck between what's secure and what's utilitarian. However, being _blatently_
> malformed (e.g., two of any field that's not a #list) is always grounds for
> immediate rejection. Fuzzy repair work, in this case, is a Very Bad Thing.

The issue being that most implementations won't check this unless it's
required. Simply chewing what they get. And depending on the
implementation this results in the implementation reading either the
first occurrence or the last of the headers.

Also with the extensibility of HTTP is hard to put as a general
requirement that recipients should check how many times a non-list
header is seen.

Regards
Henrik

Received on Wednesday, 17 January 2007 19:52:27 UTC