- From: Mark Nottingham <mnot@mnot.net>
- Date: Tue, 7 Feb 2012 15:20:57 +1100
- To: Willy Tarreau <w@1wt.eu>
- Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, "Julian F. Reschke" <julian.reschke@gmx.de>
My .02 - I'm +1 on everything except the last sentence; read literally, it prohibits a CR not followed by a LF *anywhere* in the message, and even if that's fixed, it's too prohibitive (the ABNF already requires CRLF). That makes it: > Likewise, although the line terminator for the start-line and header > fields is the sequence CRLF, we recommend that recipients recognize a > single LF as a line terminator and ignore the preceding CR, if present. BTW, I think we're getting to wordsmithing here, does anyone disagree with the general sentiment? Regards, On 07/02/2012, at 2:18 PM, Mark Nottingham wrote: >> 3.5. Message Parsing Robustness >> >>> Likewise, although the line terminator for the start-line and header >>> fields is the sequence CRLF, we recommend that recipients recognize a >>> single LF as a line terminator and ignore any CR. >> >> Does this mean that CR CR CR CR CR CR LF should be interpreted as a single >> LF ? It kinds of scares me on the risk of smuggling attacks. I'd rather >> suggest : >> >> ... we recommend that recipients recognize a single LF as a line >> terminator and ignore the optional preceeding CR. Messages containing >> a CR not followed by an LF MUST be rejected. > > I've created <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/340>. -- Mark Nottingham http://www.mnot.net/
Received on Tuesday, 7 February 2012 04:26:26 UTC