- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 17 Dec 2009 09:08:44 +0100
- To: Thomas Roessler <tlr@w3.org>
- CC: Michal Zalewski <lcamtuf@coredump.cx>, Bil Corry <bil@corry.biz>, public-web-security@w3.org, Mark Nottingham <mnot@mnot.net>
Thomas Roessler wrote: > On 16 Dec 2009, at 21:55, Michal Zalewski wrote: > >>> It would seem to me that using the first header would be slightly safer >> To provide some context based on off-list discussions - probably the >> most common example of a HTTP header splitting vulnerability is >> newline injection through user-controlled "Location" header; a close >> second would be newlines in user-specified file names in >> "Content-Disposition". > > (As an aside, one can play fun games with the same idea in e-mail -- the precedence problem applies to just about any specification that uses MIME.) > >> I also suspect it may be difficult to get HTTP specs to specify >> precedence at any point in the future, as they tend not to focus on >> such earthly things; > > Well, the HTTPbis Working Group might be a better place for that particular discussion than the HTML WG. Mark? There's a related open issue: <http://tools.ietf.org/wg/httpbis/trac/ticket/95>. Best regards, Julian
Received on Thursday, 17 December 2009 08:09:33 UTC