- From: Mark Nottingham <mnot@mnot.net>
- Date: Sat, 20 Apr 2013 14:07:39 +1000
- To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
p1 3.2.4 defines requirements for handling obs-fold: > When an obs-fold is received in a message, recipients MUST do one of: > > • accept the message and replace any embedded obs-fold whitespace with either a single SP or a matching number of SP octets (to avoid buffer copying) prior to interpreting the field value or forwarding the message downstream; > • if it is a request, reject the message by sending a 400 (Bad Request) response with a representation explaining that obsolete line folding is unacceptable; or, > • if it is a response, discard the message and generate a 502 (Bad Gateway) response with a representation explaining that unacceptable line folding was received. > > Recipients that choose not to implement obs-fold processing (as described above) MUST NOT accept messages containing header fields with leading whitespace, as this can expose them to attacks that exploit this difference in processing. This seems to repeat itself; what is the difference between choosing to reject the request in the manner described in the last two bullet points, and not accepting the message? I think that the last sentence can be removed. -- Mark Nottingham http://www.mnot.net/
Received on Saturday, 20 April 2013 04:08:02 UTC