Re: HTTP/2: Another reason to find a safer encoding

On Tue, Jul 31, 2012 at 12:36 PM, Willy Tarreau <> wrote:
> Hi,
> Ivan Ristic recently presented a wide collection of methods to bypass
> web application firewalls using implementation differences in HTTP
> stacks :
> While some of them have already been discussed to great extents, including
> here, I think it's worth a read and reminds us that we really need to
> address the ambiguities of request encoding if we want to make the web
> safer.

What do you have in mind?

The problem is that implementations tend to be liberal in accepting
inputs. That is mostly due to laziness - being strict is harder. As
long as an input can be mapped to an acceptable value, no harm is done
to the internal state, therefore there's no incentive for
implementations to reject illegal inputs. This is the reality, no
matter how sternly the spec emphasizes the MUST NOTs.

Zhong Yu

Received on Wednesday, 1 August 2012 00:24:41 UTC