W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

#340: CR CR LF

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 7 Feb 2012 15:20:57 +1100
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, "Julian F. Reschke" <julian.reschke@gmx.de>
Message-Id: <3DCE72EA-D295-4C1B-B4F2-AC658CAE7A1D@mnot.net>
To: Willy Tarreau <w@1wt.eu>
My .02 - I'm +1 on everything except the last sentence; read literally, it prohibits a CR not followed by a LF *anywhere* in the message, and even if that's fixed, it's too prohibitive (the ABNF already requires CRLF). 

That makes it:

>    Likewise, although the line terminator for the start-line and header
>    fields is the sequence CRLF, we recommend that recipients recognize a
>    single LF as a line terminator and ignore the preceding CR, if present.


BTW, I think we're getting to wordsmithing here, does anyone disagree with the general sentiment?

Regards,


On 07/02/2012, at 2:18 PM, Mark Nottingham wrote:

>> 3.5. Message Parsing Robustness
>> 
>>> Likewise, although the line terminator for the start-line and header
>>> fields is the sequence CRLF, we recommend that recipients recognize a
>>> single LF as a line terminator and ignore any CR.
>> 
>> Does this mean that CR CR CR CR CR CR LF should be interpreted as a single
>> LF ? It kinds of scares me on the risk of smuggling attacks. I'd rather
>> suggest :
>> 
>>   ... we recommend that recipients recognize a single LF as a line
>>   terminator and ignore the optional preceeding CR. Messages containing
>>   a CR not followed by an LF MUST be rejected.
> 
> I've created <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/340>.

--
Mark Nottingham   http://www.mnot.net/
Received on Tuesday, 7 February 2012 04:26:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:55 GMT