- From: William A. Rowe, Jr. <wrowe@rowe-clan.net>
- Date: Tue, 21 Jul 2009 12:06:29 -0500
- To: Amit Klein <aksecurity@gmail.com>
- CC: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Amit Klein wrote: > >>> Invalid chars in field name: e.g. use of underscore for attack is >>> discussed in >>> http://kuza55.blogspot.com/2007/07/exploiting-reflected-xss.html >> Underscores are allowed in HTTP header field-names. > > In such case, wouldn't there be collisions, e.g. User-Agent and > User_Agent both will map into the CGI env variable HTTP_USER_AGENT. That's not a concern of the http 2616 spec, but an issue for RFC3875. Note that 4.1 of that RFC does not demand underscores, but illustrates then and states that "A particular system can define a different representation". The obvious system is to invert the dash and underscore provided that the system exposing these variables (e.g. environment tables on most platforms) can represent dashes as well as underscores. All of the symbols below are permitted as token, AIUI; "!" "#" "$" "%" "&" "'" "*" "+" "-" "." "^" "_" "`" "|" "~" As well as all control codes 0 - 31 excluding 9, plus 127. Of course many of these make no sense, but that's the existing spec. RFC2616bis is not chartered to change the spec, only clarify it.
Received on Tuesday, 21 July 2009 17:07:16 UTC