W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2013

Re: [HTTP/1.1] method length and 501 Not Implemented

From: Adrien W. de Croy <adrien@qbik.com>
Date: Tue, 12 Mar 2013 23:29:26 +0000
To: "Karl Dubost" <karl@la-grange.net>, "Bjoern Hoehrmann" <derhoermi@gmx.net>
Cc: "IETF HTTP Working Group" <ietf-http-wg@w3.org>
Message-Id: <em81980c60-5355-43a6-950d-10278928f40d@bombed>

I think it is simply proposing a simple strategy to deal with what could 
otherwise be a buffer overrun attack on method.

e.g. instead of waiting until you have accumulated the entire method 
string, you can fail early if the length is greater than any you 
recognise.


------ Original Message ------
From: "Karl Dubost" <karl@la-grange.net>
To: "Bjoern Hoehrmann" <derhoermi@gmx.net>
Cc: "IETF HTTP Working Group" <ietf-http-wg@w3.org>
Sent: 13/03/2013 12:26:38 p.m.
Subject: Re: [HTTP/1.1] method length and 501 Not Implemented
>
>Le 12 mars 2013 à 19:19, Bjoern Hoehrmann a écrit :
>>  The text above discusses length limits and reactions to them; it is 
>>not
>>  meant to say anything about other reasons for sending 501. If the 
>>server
>>  does not recognise the "YO" method then it should also reply with 
>>501,
>>  as per the definition of the 501 status code.
>
>
>Yes exactly, but then why being specific on the length of the *method*?
>http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-22#section-6.6.2
>
>It seems the spec could get rid of that specific sentence without 
>loosing meaning.
>
>
>--
>Karl Dubost
>http://www.la-grange.net/karl/
>
>
Received on Tuesday, 12 March 2013 23:29:55 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 12 March 2013 23:29:57 GMT