Re: Message delimiting security issues

ons 2007-01-17 klockan 10:55 -0600 skrev William A. Rowe, Jr.:

> Precisely.  It must be accepted, because spaces are allowed between words
> and between word delimiters.  But it must not be transmitted because the
> spec is quite clear in it's construction.  The reporter of issue 30 seems
> to think it's ambiguous, it's not.  Unless EXPLICITLY prohibited LWS is
> accepted.

In this specific case I am leaning more towards that there was an
oversight in the wording of 4.2, forgetting to mention that LWS is not
allowed between the header name and the delimiter. The reasoning being

a) It's not allowed by MIME, which the HTTP header syntax is supposed to
build upon.

b) Clearly not expected to most readers.

c) And nearly all implementations gets this wrong one way or another.


As it's very doubtful there is any implementations relying on this being
allowed today, and the security implications of implementations not
properly ignoring the LWS the question is if 4.2 should be strengthened
disallowing LWS between the header name and the separator (also in line
with MIME header syntax), or if the current messy situation should be
kept relying on each implementer to figure out the implications of
implied *LWS..

> In the case of LWS before a header argument, that's absolutely not valid
> data.  Again, the reporter of issue 30 seems to be confused about the
> distinction between an implementation and a spec.

You mean LWS before a header name? No one has ever claimed that to be
valid, not even the reporter of I30. There is just an observation that
many implementations gets it wrong.

Regards
Henrik

Received on Wednesday, 17 January 2007 19:46:05 UTC