Re: Header Parsing Profile

On 29/07/2014 7:19 p.m., Willy Tarreau wrote:
> On Tue, Jul 29, 2014 at 04:54:46PM +1000, Mark Nottingham wrote:
>> In Toronto, we briefly discussed an idea that came up earlier on the list --
>> creating a specification for error handling when parsing HTTP headers. 
>> This would be an optional profile; implementations or applications that
>> choose to use it can do so, but its use would not be mandated.
> I think it can make the general culture more aware of header formats.
> Most of the ugliness we see in field comes from people who think they
> know so they don't need to check specs, and making more people aware
> of general principles around header parsing could actually improve
> this situation.
>> There seemed to be support and interest in work in this area. However, we
>> need to gather more information, I think. 
>> So, I've started a wiki page to gather possible areas of work here:
>> Please contribute.
> I hope to find some time to contribute as I think it's useful and needed.


IMHO, this effort could grow into a security profile for HTTP parsers.
Meeting our charter requirement for improving security.


Received on Tuesday, 29 July 2014 11:35:01 UTC