W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2008

Re: Status of issue #30 (Implied LWS)

From: Amit Klein <aksecurity@gmail.com>
Date: Sat, 15 Nov 2008 01:31:52 +0200
Message-ID: <491E0A68.5030108@gmail.com>
To: Amit Klein <aksecurity@gmail.com>
CC: Henrik Nordstrom <henrik@henriknordstrom.net>, Jamie Lokier <jamie@shareable.org>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>

Amit Klein wrote:
> Henrik Nordstrom wrote:
>> On fre, 2008-11-14 at 22:27 +0000, Jamie Lokier wrote:
>>  
>>> Henrik Nordstrom wrote:
>>>    
>>>> On tor, 2008-11-13 at 18:06 -0800, Mark Nottingham wrote:
>>>>      
>>>>> Yes; we looked at disallowing it, but implementations that 
>>>>> support  folding do already support whitespace-only lines.
>>>>>         
>>>> Some. Many fail, misreading it as end-of-headers...
>>>>       
>>> Last time I looked, I think Mozilla was in that category.
>>>     
>>
>> Still?
>>
>> There was a security whitepaper on this some years ago which made a lot
>> of people jump.. (or actually two with about a year inbetween, one
>> looking at responses, one at requests)
>>
>>   
>
> Yes, that was me ;-)
>
> 2004 - HTTP Response Splitting: 
> http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
> 2005 - HTTP Request Smuggling: 
> http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
>

The "HTTP Request Smuggling" paper is actually the relevant one. I think 
I made a note about this earlier.

-Amit
Received on Friday, 14 November 2008 23:32:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:57 GMT