W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2009

Re: (issue 30) - concrete security-related examples

From: William A. Rowe, Jr. <wrowe@rowe-clan.net>
Date: Tue, 21 Jul 2009 12:06:29 -0500
Message-ID: <4A65F595.8060307@rowe-clan.net>
To: Amit Klein <aksecurity@gmail.com>
CC: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Amit Klein wrote:
> 
>>> Invalid chars in field name: e.g. use of underscore for attack is
>>> discussed in
>>> http://kuza55.blogspot.com/2007/07/exploiting-reflected-xss.html
>> Underscores are allowed in HTTP header field-names.
> 
> In such case, wouldn't there be collisions, e.g. User-Agent and
> User_Agent both will map into the CGI env variable HTTP_USER_AGENT.

That's not a concern of the http 2616 spec, but an issue for RFC3875.
Note that 4.1 of that RFC does not demand underscores, but illustrates
then and states that "A particular system can define a different
representation".

The obvious system is to invert the dash and underscore provided that
the system exposing these variables (e.g. environment tables on most
platforms) can represent dashes as well as underscores.

All of the symbols below are permitted as token, AIUI;

 "!" "#" "$" "%" "&" "'" "*" "+" "-" "." "^" "_" "`" "|" "~"

As well as all control codes 0 - 31 excluding 9, plus 127.  Of course
many of these make no sense, but that's the existing spec.  RFC2616bis
is not chartered to change the spec, only clarify it.
Received on Tuesday, 21 July 2009 17:07:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:08 GMT