Re: Handling multiple headers when only one is allowed

Thomas Roessler wrote:
> On 16 Dec 2009, at 21:55, Michal Zalewski wrote:
> 
>>> It would seem to me that using the first header would be slightly safer
>> To provide some context based on off-list discussions - probably the
>> most common example of a HTTP header splitting vulnerability is
>> newline injection through user-controlled "Location" header; a close
>> second would be newlines in user-specified file names in
>> "Content-Disposition".
> 
> (As an aside, one can play fun games with the same idea in e-mail -- the precedence problem applies to just about any specification that uses MIME.)
> 
>> I also suspect it may be difficult to get HTTP specs to specify
>> precedence at any point in the future, as they tend not to focus on
>> such earthly things; 
> 
> Well, the HTTPbis Working Group might be a better place for that particular discussion than the HTML WG.  Mark?

There's a related open issue: 
<http://tools.ietf.org/wg/httpbis/trac/ticket/95>.

Best regards, Julian

Received on Thursday, 17 December 2009 08:09:33 UTC