- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Thu, 20 May 2021 18:02:06 +0000
- To: Willy Tarreau <w@1wt.eu>
- cc: Martin Thomson <mt@lowentropy.net>, ietf-http-wg@w3.org
-------- Willy Tarreau writes: > Hi Martin, > > On Thu, May 20, 2021 at 02:34:15PM +1000, Martin Thomson wrote: > > Coming back to this. > > > > Mark points out that if the purpose of these rules is to cut back on ways in > > which smuggling might occur (not prevent, that's a fool's errand), then we > > should also prohibit 0x00-0x1f and 0x7f (the ASCII control characters) and > > 0x20 (SP) from field names. I think that's reasonable, but I want to check > > here. That shouldn't make this harder to implement and it might catch some > > genuine problems. > > I really agree. I don't remember if 0x80 and above are forbidden in H2 but > I'd personally prefer to block them so that we don't needlessly introduce > the risk of aliasing due to different codings being used. Protocol elements > that define how messages should be delimited/routed/etc must be strictly > defined and easy to enforce in implementations and applications. +1 -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Thursday, 20 May 2021 18:02:25 UTC