- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Sat, 06 Oct 2012 01:14:31 +1300
- To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
I've recently had to explain why Squid does not accept trailing SP characters after the HTTP-version part of HTTP/1.1 request lines. It seems the security considerations are missing a reference to the potential nefarious requests it would enable. The case in question being a lenient parser which splits the request-line on SP assuming that the URL contained no SP characters un-encoded. Such a parser would be vulnerable to malicious clients sending a URL with embeded \0x20HTTP/1.0\0x20 followed by one smuggled header (Host being the most deadly). Implementations which instead work forward to the CRLF delimiter then backwards to the previous SP delimiter (or somethign to that effect) are tolerant of the broken servers and clients which fail to encode SP characters within sent URLs without being vulnerable to this problem case. At expense that they cannot accept request-line terminated with SP after the HTTP-version field. AYJ
Received on Friday, 5 October 2012 12:15:14 UTC