- From: Amit Klein <aksecurity@gmail.com>
- Date: Sat, 15 Nov 2008 00:54:19 +0200
- To: Henrik Nordstrom <henrik@henriknordstrom.net>
- CC: Jamie Lokier <jamie@shareable.org>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Henrik Nordstrom wrote: > On fre, 2008-11-14 at 22:27 +0000, Jamie Lokier wrote: > >> Henrik Nordstrom wrote: >> >>> On tor, 2008-11-13 at 18:06 -0800, Mark Nottingham wrote: >>> >>>> Yes; we looked at disallowing it, but implementations that support >>>> folding do already support whitespace-only lines. >>>> >>> Some. Many fail, misreading it as end-of-headers... >>> >> Last time I looked, I think Mozilla was in that category. >> > > Still? > > There was a security whitepaper on this some years ago which made a lot > of people jump.. (or actually two with about a year inbetween, one > looking at responses, one at requests) > > Yes, that was me ;-) 2004 - HTTP Response Splitting: http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf 2005 - HTTP Request Smuggling: http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
Received on Friday, 14 November 2008 22:55:05 UTC