- From: William A. Rowe, Jr. <wrowe@rowe-clan.net>
- Date: Wed, 17 Jan 2007 17:41:46 -0600
- To: Julian Reschke <julian.reschke@gmx.de>
- CC: Henrik Nordstrom <henrik@henriknordstrom.net>, Travis Snoozy <ai2097@users.sourceforge.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Julian Reschke wrote: > > So in this case the robustness principle is causing some of the > interoperability and security problems? Actually not-so-much. If the middle tier properly rephrases the fields and respects all of the guidance for building the outbound request, and either chooses to be very liberal-yet-correct or extremely (and even overly) strict, most of the splitting/spoofing issues would not have occurred in this specific example. The flaws came in where authors made assumptions (leading/trailing white space around the header token treated as the header identifier, or ignoring the rule to ignore C-L in the presence of T-E chunked, etc), trusting user input without validation. That's the root of nearly every vulnerability in the first place.
Received on Wednesday, 17 January 2007 23:42:28 UTC