Re: [whatwg/fetch] Preventing some CRLF header injection attacks (#375) from Mark Nottingham on 2016-09-07 (public-webapps-github@w3.org from September 2016)

From: Mark Nottingham <notifications@github.com>
Date: Tue, 06 Sep 2016 22:52:22 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/375/245182202@github.com>

>From http://httpwg.org/specs/rfc7230.html#header.content-length - 

> If a message is received that has multiple Content-Length header fields with field-values consisting of the same decimal value, or a single Content-Length header field with a field value containing a list of identical decimal values (e.g., "Content-Length: 42, 42"), indicating that duplicate Content-Length header fields have been generated or combined by an upstream message processor, then the recipient MUST either reject the message as invalid or replace the duplicated field-values with a single valid Content-Length field containing that decimal value prior to determining the message body length or forwarding the message.

http://httpwg.org/specs/rfc7231.html#header.location doesn't have any relevant text; should probably raise a bug in https://github.com/httpwg/http11bis/issues .

What's the attack scenario for Content-Location?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/375#issuecomment-245182202

Received on Wednesday, 7 September 2016 05:52:50 UTC