- From: Amit Klein <aksecurity@gmail.com>
- Date: Tue, 21 Jul 2009 13:11:20 +0300
- To: Mark Nottingham <mnot@mnot.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Hi Mark et al. Please see my comment inline. Thanks, -Amit On Tue, Jul 21, 2009 at 4:37 AM, Mark Nottingham<mnot@mnot.net> wrote: > Hi Amit, > > Just making sure we've closed the loop here: > > > On 12/09/2008, at 6:05 AM, Amit Klein wrote: > >> >> LWS should not be allowed between the field name and the colon. See the >> section 'The “Double CR in an HTTP header” technique (and the “header SP” >> technique)' in http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf > > p1 4.2: > No whitespace is allowed between the header field-name and colon. For > security reasons, any request message received containing such whitespace > MUST be rejected with a response code of 400 (Bad Request) and any such > whitespace in a response message MUST be removed. > Good. >> Lone CR should not be allowed. See the section 'The “Double CR in an HTTP >> header” technique (and the “header SP” technique)' in >> http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf (NOTE: we dubbed >> it "double CR" because it is part of a sequence CR+CR+LF). > > CRLF is specified, and the p1 A (Tolerant Applications) notes: > The line terminator for message-header fields is the sequence CRLF. However, > we recommend that applications, when parsing such headers, recognize a > single LF as a line terminator and ignore the leading CR. > OK. >> Invalid chars in field name: e.g. use of underscore for attack is >> discussed in >> http://kuza55.blogspot.com/2007/07/exploiting-reflected-xss.html > > Underscores are allowed in HTTP header field-names. In such case, wouldn't there be collisions, e.g. User-Agent and User_Agent both will map into the CGI env variable HTTP_USER_AGENT.
Received on Tuesday, 21 July 2009 10:12:07 UTC