W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2013

Re: [HTTP/1.1] method length and 501 Not Implemented

From: Adrien W. de Croy <adrien@qbik.com>
Date: Tue, 12 Mar 2013 23:29:26 +0000
To: "Karl Dubost" <karl@la-grange.net>, "Bjoern Hoehrmann" <derhoermi@gmx.net>
Cc: "IETF HTTP Working Group" <ietf-http-wg@w3.org>
Message-Id: <em81980c60-5355-43a6-950d-10278928f40d@bombed>

I think it is simply proposing a simple strategy to deal with what could 
otherwise be a buffer overrun attack on method.

e.g. instead of waiting until you have accumulated the entire method 
string, you can fail early if the length is greater than any you 

------ Original Message ------
From: "Karl Dubost" <karl@la-grange.net>
To: "Bjoern Hoehrmann" <derhoermi@gmx.net>
Cc: "IETF HTTP Working Group" <ietf-http-wg@w3.org>
Sent: 13/03/2013 12:26:38 p.m.
Subject: Re: [HTTP/1.1] method length and 501 Not Implemented
>Le 12 mars 2013 à 19:19, Bjoern Hoehrmann a écrit :
>>  The text above discusses length limits and reactions to them; it is 
>>  meant to say anything about other reasons for sending 501. If the 
>>  does not recognise the "YO" method then it should also reply with 
>>  as per the definition of the 501 status code.
>Yes exactly, but then why being specific on the length of the *method*?
>It seems the spec could get rid of that specific sentence without 
>loosing meaning.
>Karl Dubost
Received on Tuesday, 12 March 2013 23:29:55 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 1 October 2015 05:36:58 UTC