Amit Klein wrote: > Henrik Nordstrom wrote: >> On fre, 2008-11-14 at 22:27 +0000, Jamie Lokier wrote: >> >>> Henrik Nordstrom wrote: >>> >>>> On tor, 2008-11-13 at 18:06 -0800, Mark Nottingham wrote: >>>> >>>>> Yes; we looked at disallowing it, but implementations that >>>>> support folding do already support whitespace-only lines. >>>>> >>>> Some. Many fail, misreading it as end-of-headers... >>>> >>> Last time I looked, I think Mozilla was in that category. >>> >> >> Still? >> >> There was a security whitepaper on this some years ago which made a lot >> of people jump.. (or actually two with about a year inbetween, one >> looking at responses, one at requests) >> >> > > Yes, that was me ;-) > > 2004 - HTTP Response Splitting: > http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf > 2005 - HTTP Request Smuggling: > http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf > The "HTTP Request Smuggling" paper is actually the relevant one. I think I made a note about this earlier. -AmitReceived on Friday, 14 November 2008 23:32:39 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:38:34 GMT