W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: #341: whitespace in request-lines and status-lines

From: Willy Tarreau <w@1wt.eu>
Date: Mon, 13 Feb 2012 08:16:31 +0100
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20120213071631.GW21225@1wt.eu>
Hi Mark,

On Mon, Feb 13, 2012 at 03:10:06PM +1100, Mark Nottingham wrote:
> Looking at this a bit more.
> 
> We can't use OWS or BWS here, because they both include obs-fold.
> 
> So, proposal:
> 
> 
> Add a new construct:
> 
> SSP = SP /  1*BSP         ; preferred single space
> BSP = ( HTAB / SP )       ; "bad" space
> 
> And change Request-Line and Status-Line to:
> 
>      Request-Line   = Method SSP request-target SSP HTTP-Version BSP CRLF
>      Status-Line = HTTP-Version SSP Status-Code SSP Reason-Phrase BSP CRLF
> 
> With appropriate text cautioning against generation of BSP, but advising consumption of it.
> 
> Thoughts?

FWIW, haproxy has never allowed HTABs nor multiple spaces here and still
we dont get error reports. In fact the only times I catch this, it comes
from a poorly-written attack script.

I don't think we should relax the parsing rules, and it seems like Amos and
I were on the same line of "exactly matching" one SP.

Regards,
Willy
Received on Monday, 13 February 2012 07:16:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT