- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Sun, 19 May 2013 15:32:54 -0700
- To: Mark Nottingham <mnot@mnot.net>
- Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Fixed in http://trac.tools.ietf.org/wg/httpbis/trac/changeset/2260 ....Roy On Apr 19, 2013, at 9:07 PM, Mark Nottingham wrote: > p1 3.2.4 defines requirements for handling obs-fold: > >> When an obs-fold is received in a message, recipients MUST do one of: >> >> • accept the message and replace any embedded obs-fold whitespace with either a single SP or a matching number of SP octets (to avoid buffer copying) prior to interpreting the field value or forwarding the message downstream; >> • if it is a request, reject the message by sending a 400 (Bad Request) response with a representation explaining that obsolete line folding is unacceptable; or, >> • if it is a response, discard the message and generate a 502 (Bad Gateway) response with a representation explaining that unacceptable line folding was received. >> >> Recipients that choose not to implement obs-fold processing (as described above) MUST NOT accept messages containing header fields with leading whitespace, as this can expose them to attacks that exploit this difference in processing. > > This seems to repeat itself; what is the difference between choosing to reject the request in the manner described in the last two bullet points, and not accepting the message? > > I think that the last sentence can be removed. > > > -- > Mark Nottingham http://www.mnot.net/ > > > >
Received on Sunday, 19 May 2013 22:33:11 UTC