W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2009

Re: (issue 30) - concrete security-related examples

From: William A. Rowe, Jr. <wrowe@rowe-clan.net>
Date: Tue, 21 Jul 2009 12:17:23 -0500
Message-ID: <4A65F823.7000801@rowe-clan.net>
To: Amit Klein <aksecurity@gmail.com>
CC: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
William A. Rowe, Jr. wrote:
> Amit Klein wrote:
>>>> Invalid chars in field name: e.g. use of underscore for attack is
>>>> discussed in
>>>> http://kuza55.blogspot.com/2007/07/exploiting-reflected-xss.html
>>> Underscores are allowed in HTTP header field-names.
>> In such case, wouldn't there be collisions, e.g. User-Agent and
>> User_Agent both will map into the CGI env variable HTTP_USER_AGENT.
> 
> That's not a concern of the http 2616 spec, but an issue for RFC3875.
> Note that 4.1 of that RFC does not demand underscores, but illustrates
> then and states that "A particular system can define a different
> representation".
> 
> The obvious system is to invert the dash and underscore provided that
> the system exposing these variables (e.g. environment tables on most
> platforms) can represent dashes as well as underscores.
> 
> All of the symbols below are permitted as token, AIUI;
> 
>  "!" "#" "$" "%" "&" "'" "*" "+" "-" "." "^" "_" "`" "|" "~"

The above is correct, that's where my brain failed me...

<incorrect>
> As well as all control codes 0 - 31 excluding 9, plus 127.  Of course
> many of these make no sense, but that's the existing spec.  RFC2616bis
> is not chartered to change the spec, only clarify it.
</incorrect>

Momentary space-out there, sorry for the misinformation; of course...

token          = 1*<any CHAR except CTLs or separators>

> 
Received on Tuesday, 21 July 2009 17:18:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:08 GMT