- From: Mark Nottingham <mnot@mnot.net>
- Date: Tue, 21 Jul 2009 11:37:38 +1000
- To: Amit Klein <aksecurity@gmail.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Hi Amit, Just making sure we've closed the loop here: On 12/09/2008, at 6:05 AM, Amit Klein wrote: > > LWS should not be allowed between the field name and the colon. See > the section 'The “Double CR in an HTTP header” technique (and the > “header SP” technique)' in http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf p1 4.2: No whitespace is allowed between the header field-name and colon. For security reasons, any request message received containing such whitespace MUST be rejected with a response code of 400 (Bad Request) and any such whitespace in a response message MUST be removed. > Lone CR should not be allowed. See the section 'The “Double CR in an > HTTP header” technique (and the “header SP” technique)' in http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf > (NOTE: we dubbed it "double CR" because it is part of a sequence CR > +CR+LF). CRLF is specified, and the p1 A (Tolerant Applications) notes: The line terminator for message-header fields is the sequence CRLF. However, we recommend that applications, when parsing such headers, recognize a single LF as a line terminator and ignore the leading CR. > Invalid chars in field name: e.g. use of underscore for attack is > discussed in http://kuza55.blogspot.com/2007/07/exploiting-reflected-xss.html Underscores are allowed in HTTP header field-names. Cheers, -- Mark Nottingham http://www.mnot.net/
Received on Tuesday, 21 July 2009 01:38:26 UTC