W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Handling multiple headers when only one is allowed

From: Thomas Roessler <tlr@w3.org>
Date: Thu, 17 Dec 2009 00:05:14 +0100
Cc: Thomas Roessler <tlr@w3.org>, Bil Corry <bil@corry.biz>, public-web-security@w3.org, Mark Nottingham <mnot@mnot.net>
Message-Id: <F9DD7792-DA18-40EB-814C-9C6BCDD9E5C3@w3.org>
To: Michal Zalewski <lcamtuf@coredump.cx>
On 16 Dec 2009, at 21:55, Michal Zalewski wrote:

>> It would seem to me that using the first header would be slightly safer
> 
> To provide some context based on off-list discussions - probably the
> most common example of a HTTP header splitting vulnerability is
> newline injection through user-controlled "Location" header; a close
> second would be newlines in user-specified file names in
> "Content-Disposition".

(As an aside, one can play fun games with the same idea in e-mail -- the precedence problem applies to just about any specification that uses MIME.)

> I also suspect it may be difficult to get HTTP specs to specify
> precedence at any point in the future, as they tend not to focus on
> such earthly things; 

Well, the HTTPbis Working Group might be a better place for that particular discussion than the HTML WG.  Mark?
Received on Wednesday, 16 December 2009 23:05:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT