Re: Message delimiting security issues

Julian Reschke wrote:
> So in this case the robustness principle is causing some of the
> interoperability and security problems?

Actually not-so-much.  If the middle tier properly rephrases the fields
and respects all of the guidance for building the outbound request, and either
chooses to be very liberal-yet-correct or extremely (and even overly) strict,
most of the splitting/spoofing issues would not have occurred in this specific

The flaws came in where authors made assumptions (leading/trailing white
space around the header token treated as the header identifier, or
ignoring the rule to ignore C-L in the presence of T-E chunked, etc),
trusting user input without validation.  That's the root of nearly
every vulnerability in the first place.

Received on Wednesday, 17 January 2007 23:42:28 UTC