- From: Willy Tarreau <w@1wt.eu>
- Date: Mon, 15 Oct 2018 10:43:45 +0200
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Hi Julian, On Mon, Oct 15, 2018 at 08:25:08AM +0200, Julian Reschke wrote: > On 2018-10-15 07:21, Mark Nottingham wrote: > > <https://github.com/httpwg/http-core/issues/30> > > > > We discussed this in Montreal, and there seemed to be support in the room (and on the issues list) for restricting the characters available in HTTP headers to a more reasonable range. > > > > The straw-man I put into the issue was: > > > > 1*( "-" / "_" / "." / "+" / DIGIT / ALPHA ) > > > > What do folks think about this? > > > > If a server were to reject request headers that include characters outside this range, I think we'd be OK, since browsers don't produce such things (AFAICT; of course, we'd want to look into this more closely first). > > > > I'd imagine that clients (especially browsers) would want to run some experiments first, and probably warn in the console, etc. before failing hard on this. > > > > Thoughts? > > > > Cheers, > > I'm not convinced (but I could be). > > What actual problem are we solving with that? I'd say that we limit the exposure on dirty servers. For example, I've seen several times quickly implemented scripts basically doing $ eval "hdr_$name=$value" By having '|', '`' and '$' there you see how dangerous this can be for users who would never even imagine that the server they execute into allow this. > Do HTTP clients/servers currently reject illegal field names (do we have > tests for that)? If they do not, why? As I mentioned, haproxy does reject a lot of them. It once failed on an application bug (application was placing '/' into header field names), but the rest of the time these are attacks seen on the internet side. I'm thinking that we could suggest something less extreme than blocking, consisting in simply removing such header fields. If these ones are placed by accident they will have no impact. If they are really needed, the effect will be the same as if the header was rejected. This would allow to distinguish between "forbidden characters" and "unusual characters". Regards, Willy
Received on Monday, 15 October 2018 08:44:14 UTC