W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2013

Re: [HTTP/1.1] method length and 501 Not Implemented

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Wed, 13 Mar 2013 20:58:14 +1300
Message-ID: <51403196.1080806@treenet.co.nz>
To: ietf-http-wg@w3.org
On 13/03/2013 12:29 p.m., Adrien W. de Croy wrote:
>
> I think it is simply proposing a simple strategy to deal with what 
> could otherwise be a buffer overrun attack on method.
>
> e.g. instead of waiting until you have accumulated the entire method 
> string, you can fail early if the length is greater than any you 
> recognise.
>

Yes. This is more about the servers which are relay agent and implement 
the "YO" / unknown methods by relaying it upstream. In order to do 
anything with the URL portion of the request-line they have to cope with 
methods being too long.

Amos

>
> ------ Original Message ------
> From: "Karl Dubost"
>>
>> Le 12 mars 2013 à 19:19, Bjoern Hoehrmann a écrit :
>>>  The text above discusses length limits and reactions to them; it is 
>>> not
>>>  meant to say anything about other reasons for sending 501. If the 
>>> server
>>>  does not recognise the "YO" method then it should also reply with 501,
>>>  as per the definition of the 501 status code.
>>
>>
>> Yes exactly, but then why being specific on the length of the *method*?
>> http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-22#section-6.6.2 
>>
>>
>> It seems the spec could get rid of that specific sentence without 
>> loosing meaning.
>>
>>
>> -- 
>> Karl Dubost
>> http://www.la-grange.net/karl/
>>
>>
>
>
Received on Wednesday, 13 March 2013 07:58:58 GMT

This archive was generated by hypermail 2.3.1 : Wednesday, 13 March 2013 07:59:09 GMT