RE: Escaping control characters in HTTP Digest (RFC 2617) (was: Escaping <\> in HTTP Digest (RFC 2617)) from Eric Lawrence on 2007-05-24 (ietf-http-wg@w3.org from April to June 2007)

From: Eric Lawrence <ericlaw@exchange.microsoft.com>
Date: Thu, 24 May 2007 10:31:45 -0700
To: Robert Sayre <sayrer@gmail.com>
CC: Alexey Melnikov <alexey.melnikov@isode.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <8301DE7F96C0074C8DA98484623D7E51157C43EFBC@DF-MASTIFF-MSG.exchange.corp.microso>

I think the trick is distinguishing between a control character and a byte that's part of a multi-byte international character.

Obviously, we'd need to escape any byte not valid in HTTP headers (e.g. 0x0d, 0x0a) to ensure the integrity of the headers.

-----Original Message-----
From: Robert Sayre [mailto:sayrer@gmail.com]
Sent: Thursday, May 24, 2007 9:58 AM
To: Eric Lawrence
Cc: Alexey Melnikov; ietf-http-wg@w3.org
Subject: Re: Escaping control characters in HTTP Digest (RFC 2617) (was: Escaping <\> in HTTP Digest (RFC 2617))

On 3/23/07, Eric Lawrence <ericlaw@exchange.microsoft.com> wrote:
>
> IE7 uses WDigest.dll, which escapes the \ into \\.
> IE6 and previous versions relied on Digest.dll, which did not escape the \.

What about control characters? Is there any reason to allow them,
escaped or not? I'm actually having problems with malicious
XMLHttpRequest scripts doing this.

--

Robert Sayre

Received on Thursday, 24 May 2007 17:33:00 UTC