- From: Henrik Nordstrom <henrik@henriknordstrom.net>
- Date: Thu, 23 Jul 2009 21:48:12 +0200
- To: Adrien de Croy <adrien@qbik.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
tor 2009-07-23 klockan 14:00 +1200 skrev Adrien de Croy: > Normally this wouldn't be particularly interesting - just another broken > site. However all the browsers I tested swallowed this without > complaining and displayed the body. I tested IE8, Chrome, FF3.5 and > Opera 9.6.4. Each of the lines in the response was terminated by CRLF > (not bare LF), so I'm struggling to see how anyone can interpret the PHP > warning as anything resembling a valid header (even wrapped, since no > leading WS). Heh.. your message got me to test how Squid behaves, and the result was not quite what I remembered. It by default logs those non-header error lines without a : in the debug log and strips them from the response. In this setting it also removes spaces before : if any is seen. There is a setting to barf loudly and reject the response but it's not enabled by default (it then stops at "PHP Warning:" barfing on the space character). Servers allowing applications to send headers like this is a security issue as they open up for cache poisoning attacks if an attacker can inject data there, but provided proxies handle corrupted messages reasonably well it's isolated to their own content so it's not considered a major issue. Regards Henrik
Received on Thursday, 23 July 2009 19:48:55 UTC