- From: William A. Rowe, Jr. <wrowe@rowe-clan.net>
- Date: Tue, 16 Jan 2007 20:47:09 -0600
- To: Henrik Nordstrom <henrik@henriknordstrom.net>
- CC: Mark Nottingham <mnot@mnot.net>, Scott Lawrence <scott@skrb.org>, "Roy T.Fielding" <fielding@gbiv.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Henrik Nordstrom wrote: > > But the security issues related message bodies deserves a separate > discussion in what can be done in the specs to improve the situation. Security issues are caused by implementors. Please reread the Watchfire report carefully to observe all the ways an implementor can do so. But don't cloud the spec solving a non-issue which the spec clearly defined for interoperability. No conforming server or proxy agent was subject to the HTTP Request Splitting vulnerabilities. (Which is to say all were, but it was very clear in each case what the implementor had done wrong.)
Received on Wednesday, 17 January 2007 02:48:07 UTC