On 16 Dec 2009, at 21:55, Michal Zalewski wrote: >> It would seem to me that using the first header would be slightly safer > > To provide some context based on off-list discussions - probably the > most common example of a HTTP header splitting vulnerability is > newline injection through user-controlled "Location" header; a close > second would be newlines in user-specified file names in > "Content-Disposition". (As an aside, one can play fun games with the same idea in e-mail -- the precedence problem applies to just about any specification that uses MIME.) > I also suspect it may be difficult to get HTTP specs to specify > precedence at any point in the future, as they tend not to focus on > such earthly things; Well, the HTTPbis Working Group might be a better place for that particular discussion than the HTML WG. Mark?Received on Wednesday, 16 December 2009 23:05:26 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT