- From: William A. Rowe, Jr. <wrowe@rowe-clan.net>
- Date: Tue, 21 Jul 2009 12:17:23 -0500
- To: Amit Klein <aksecurity@gmail.com>
- CC: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
William A. Rowe, Jr. wrote: > Amit Klein wrote: >>>> Invalid chars in field name: e.g. use of underscore for attack is >>>> discussed in >>>> http://kuza55.blogspot.com/2007/07/exploiting-reflected-xss.html >>> Underscores are allowed in HTTP header field-names. >> In such case, wouldn't there be collisions, e.g. User-Agent and >> User_Agent both will map into the CGI env variable HTTP_USER_AGENT. > > That's not a concern of the http 2616 spec, but an issue for RFC3875. > Note that 4.1 of that RFC does not demand underscores, but illustrates > then and states that "A particular system can define a different > representation". > > The obvious system is to invert the dash and underscore provided that > the system exposing these variables (e.g. environment tables on most > platforms) can represent dashes as well as underscores. > > All of the symbols below are permitted as token, AIUI; > > "!" "#" "$" "%" "&" "'" "*" "+" "-" "." "^" "_" "`" "|" "~" The above is correct, that's where my brain failed me... <incorrect> > As well as all control codes 0 - 31 excluding 9, plus 127. Of course > many of these make no sense, but that's the existing spec. RFC2616bis > is not chartered to change the spec, only clarify it. </incorrect> Momentary space-out there, sorry for the misinformation; of course... token = 1*<any CHAR except CTLs or separators> >
Received on Tuesday, 21 July 2009 17:18:08 UTC