- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Wed, 13 Mar 2013 20:58:14 +1300
- To: ietf-http-wg@w3.org
On 13/03/2013 12:29 p.m., Adrien W. de Croy wrote: > > I think it is simply proposing a simple strategy to deal with what > could otherwise be a buffer overrun attack on method. > > e.g. instead of waiting until you have accumulated the entire method > string, you can fail early if the length is greater than any you > recognise. > Yes. This is more about the servers which are relay agent and implement the "YO" / unknown methods by relaying it upstream. In order to do anything with the URL portion of the request-line they have to cope with methods being too long. Amos > > ------ Original Message ------ > From: "Karl Dubost" >> >> Le 12 mars 2013 à 19:19, Bjoern Hoehrmann a écrit : >>> The text above discusses length limits and reactions to them; it is >>> not >>> meant to say anything about other reasons for sending 501. If the >>> server >>> does not recognise the "YO" method then it should also reply with 501, >>> as per the definition of the 501 status code. >> >> >> Yes exactly, but then why being specific on the length of the *method*? >> http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-22#section-6.6.2 >> >> >> It seems the spec could get rid of that specific sentence without >> loosing meaning. >> >> >> -- >> Karl Dubost >> http://www.la-grange.net/karl/ >> >> > >
Received on Wednesday, 13 March 2013 07:58:58 UTC