W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2009

Re: clients ignoring brokenness of sites

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Thu, 23 Jul 2009 21:48:12 +0200
To: Adrien de Croy <adrien@qbik.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <1248378492.14420.61.camel@localhost.localdomain>
tor 2009-07-23 klockan 14:00 +1200 skrev Adrien de Croy:

> Normally this wouldn't be particularly interesting - just another broken 
> site.  However all the browsers I tested swallowed this without 
> complaining and displayed the body.  I tested IE8, Chrome, FF3.5 and 
> Opera 9.6.4.  Each of the lines in the response was terminated by CRLF 
> (not bare LF), so I'm struggling to see how anyone can interpret the PHP 
> warning as anything resembling a valid header (even wrapped, since no 
> leading WS).

Heh..

your message got me to test how Squid behaves, and the result was not
quite what I remembered. It by default logs those non-header error lines
without a : in the debug log and strips them from the response. In this
setting it also removes spaces before : if any is seen. There is a
setting to barf loudly and reject the response but it's not enabled by
default (it then stops at "PHP Warning:" barfing on the space
character).

Servers allowing applications to send headers like this is a security
issue as they open up for cache poisoning attacks if an attacker can
inject data there, but provided proxies handle corrupted messages
reasonably well it's isolated to their own content so it's not
considered a major issue.

Regards
Henrik
Received on Thursday, 23 July 2009 19:48:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:08 GMT