W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2013

Re: p1: handling obs-fold

From: Roy T. Fielding <fielding@gbiv.com>
Date: Sun, 19 May 2013 15:32:54 -0700
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <2EE3132B-78D5-4BA7-BAEE-FFC916E1484D@gbiv.com>
To: Mark Nottingham <mnot@mnot.net>
Fixed in

http://trac.tools.ietf.org/wg/httpbis/trac/changeset/2260

....Roy

On Apr 19, 2013, at 9:07 PM, Mark Nottingham wrote:

> p1 3.2.4 defines requirements for handling obs-fold:
> 
>> When an obs-fold is received in a message, recipients MUST do one of:
>> 
>> 	 accept the message and replace any embedded obs-fold whitespace with either a single SP or a matching number of SP octets (to avoid buffer copying) prior to interpreting the field value or forwarding the message downstream;
>> 	 if it is a request, reject the message by sending a 400 (Bad Request) response with a representation explaining that obsolete line folding is unacceptable; or,
>> 	 if it is a response, discard the message and generate a 502 (Bad Gateway) response with a representation explaining that unacceptable line folding was received.
>> 
>> Recipients that choose not to implement obs-fold processing (as described above) MUST NOT accept messages containing header fields with leading whitespace, as this can expose them to attacks that exploit this difference in processing.
> 
> This seems to repeat itself; what is the difference between choosing to reject the request in the manner described in the last two bullet points, and not accepting the message?
> 
> I think that the last sentence can be removed.
> 
> 
> --
> Mark Nottingham   http://www.mnot.net/
> 
> 
> 
> 
Received on Sunday, 19 May 2013 22:33:11 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:13 UTC