- From: Amit Klein <aksecurity@gmail.com>
- Date: Sat, 15 Nov 2008 01:31:52 +0200
- To: Amit Klein <aksecurity@gmail.com>
- CC: Henrik Nordstrom <henrik@henriknordstrom.net>, Jamie Lokier <jamie@shareable.org>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Amit Klein wrote: > Henrik Nordstrom wrote: >> On fre, 2008-11-14 at 22:27 +0000, Jamie Lokier wrote: >> >>> Henrik Nordstrom wrote: >>> >>>> On tor, 2008-11-13 at 18:06 -0800, Mark Nottingham wrote: >>>> >>>>> Yes; we looked at disallowing it, but implementations that >>>>> support folding do already support whitespace-only lines. >>>>> >>>> Some. Many fail, misreading it as end-of-headers... >>>> >>> Last time I looked, I think Mozilla was in that category. >>> >> >> Still? >> >> There was a security whitepaper on this some years ago which made a lot >> of people jump.. (or actually two with about a year inbetween, one >> looking at responses, one at requests) >> >> > > Yes, that was me ;-) > > 2004 - HTTP Response Splitting: > http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf > 2005 - HTTP Request Smuggling: > http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf > The "HTTP Request Smuggling" paper is actually the relevant one. I think I made a note about this earlier. -Amit
Received on Friday, 14 November 2008 23:32:39 UTC