W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Handling multiple headers when only one is allowed

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 17 Dec 2009 13:16:51 +1100
Cc: Michal Zalewski <lcamtuf@coredump.cx>, Bil Corry <bil@corry.biz>, public-web-security@w3.org
Message-Id: <7B9A59D9-5070-4EBC-A2A3-65E04CB5C392@mnot.net>
To: Thomas Roessler <tlr@w3.org>
Sure. We've already talked about assigning a precedence for Content-Length, because of security issues. Best thing to do (as always) is to bring it up on list, with enough information and context to start discussion.

As an aside -- I'm curious about the "they tend not to focus on such earthly things" characterisation. On what basis was that impression formed?

Cheers,



On 17/12/2009, at 10:05 AM, Thomas Roessler wrote:

> On 16 Dec 2009, at 21:55, Michal Zalewski wrote:
> 
>>> It would seem to me that using the first header would be slightly safer
>> 
>> To provide some context based on off-list discussions - probably the
>> most common example of a HTTP header splitting vulnerability is
>> newline injection through user-controlled "Location" header; a close
>> second would be newlines in user-specified file names in
>> "Content-Disposition".
> 
> (As an aside, one can play fun games with the same idea in e-mail -- the precedence problem applies to just about any specification that uses MIME.)
> 
>> I also suspect it may be difficult to get HTTP specs to specify
>> precedence at any point in the future, as they tend not to focus on
>> such earthly things; 
> 
> Well, the HTTPbis Working Group might be a better place for that particular discussion than the HTML WG.  Mark?
> 


--
Mark Nottingham     http://www.mnot.net/
Received on Thursday, 17 December 2009 02:17:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT