W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2008

Re: Status of issue #30 (Implied LWS)

From: Amit Klein <aksecurity@gmail.com>
Date: Sat, 15 Nov 2008 00:54:19 +0200
Message-ID: <491E019B.3010001@gmail.com>
To: Henrik Nordstrom <henrik@henriknordstrom.net>
CC: Jamie Lokier <jamie@shareable.org>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>

Henrik Nordstrom wrote:
> On fre, 2008-11-14 at 22:27 +0000, Jamie Lokier wrote:
>   
>> Henrik Nordstrom wrote:
>>     
>>> On tor, 2008-11-13 at 18:06 -0800, Mark Nottingham wrote:
>>>       
>>>> Yes; we looked at disallowing it, but implementations that support  
>>>> folding do already support whitespace-only lines.
>>>>         
>>> Some. Many fail, misreading it as end-of-headers...
>>>       
>> Last time I looked, I think Mozilla was in that category.
>>     
>
> Still?
>
> There was a security whitepaper on this some years ago which made a lot
> of people jump.. (or actually two with about a year inbetween, one
> looking at responses, one at requests)
>
>   

Yes, that was me ;-)

2004 - HTTP Response Splitting: 
http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
2005 - HTTP Request Smuggling: 
http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
Received on Friday, 14 November 2008 22:55:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:57 GMT