- From: Adrien W. de Croy <adrien@qbik.com>
- Date: Tue, 12 Mar 2013 23:29:26 +0000
- To: "Karl Dubost" <karl@la-grange.net>, "Bjoern Hoehrmann" <derhoermi@gmx.net>
- Cc: "IETF HTTP Working Group" <ietf-http-wg@w3.org>
I think it is simply proposing a simple strategy to deal with what could otherwise be a buffer overrun attack on method. e.g. instead of waiting until you have accumulated the entire method string, you can fail early if the length is greater than any you recognise. ------ Original Message ------ From: "Karl Dubost" <karl@la-grange.net> To: "Bjoern Hoehrmann" <derhoermi@gmx.net> Cc: "IETF HTTP Working Group" <ietf-http-wg@w3.org> Sent: 13/03/2013 12:26:38 p.m. Subject: Re: [HTTP/1.1] method length and 501 Not Implemented > >Le 12 mars 2013 à 19:19, Bjoern Hoehrmann a écrit : >> The text above discusses length limits and reactions to them; it is >>not >> meant to say anything about other reasons for sending 501. If the >>server >> does not recognise the "YO" method then it should also reply with >>501, >> as per the definition of the 501 status code. > > >Yes exactly, but then why being specific on the length of the *method*? >http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-22#section-6.6.2 > >It seems the spec could get rid of that specific sentence without >loosing meaning. > > >-- >Karl Dubost >http://www.la-grange.net/karl/ > >
Received on Tuesday, 12 March 2013 23:29:55 UTC