W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2007

Re: Message delimiting security issues

From: William A. Rowe, Jr. <wrowe@rowe-clan.net>
Date: Wed, 17 Jan 2007 17:41:46 -0600
Message-ID: <45AEB43A.2010903@rowe-clan.net>
To: Julian Reschke <julian.reschke@gmx.de>
CC: Henrik Nordstrom <henrik@henriknordstrom.net>, Travis Snoozy <ai2097@users.sourceforge.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org> 

Julian Reschke wrote:
> 
> So in this case the robustness principle is causing some of the
> interoperability and security problems?

Actually not-so-much.  If the middle tier properly rephrases the fields
and respects all of the guidance for building the outbound request, and either
chooses to be very liberal-yet-correct or extremely (and even overly) strict,
most of the splitting/spoofing issues would not have occurred in this specific
example.

The flaws came in where authors made assumptions (leading/trailing white
space around the header token treated as the header identifier, or
ignoring the rule to ignore C-L in the presence of T-E chunked, etc),
trusting user input without validation.  That's the root of nearly
every vulnerability in the first place.
Received on Wednesday, 17 January 2007 23:42:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 4 October 2011 12:13:57 GMT