p1: handling obs-fold
Mark Nottingham <mnot@mnot.net> Sat, 20 April 2013 04:08 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71EE221F9193 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 19 Apr 2013 21:08:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.437
X-Spam-Level:
X-Spam-Status: No, score=-10.437 tagged_above=-999 required=5 tests=[AWL=0.162, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Rds+hqx6gv3 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 19 Apr 2013 21:08:17 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id DCF0021F918C for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 19 Apr 2013 21:08:17 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UTP5o-00051M-R6 for ietf-http-wg-dist@listhub.w3.org; Sat, 20 Apr 2013 04:08:04 +0000
Resent-Date: Sat, 20 Apr 2013 04:08:04 +0000
Resent-Message-Id: <E1UTP5o-00051M-R6@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1UTP5m-00050Y-1I for ietf-http-wg@listhub.w3.org; Sat, 20 Apr 2013 04:08:02 +0000
Received: from mxout-08.mxes.net ([216.86.168.183]) by maggie.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1UTP5l-0005mX-Dj for ietf-http-wg@w3.org; Sat, 20 Apr 2013 04:08:01 +0000
Received: from mnot-mini.mnot.net (unknown [118.209.190.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 1408B50A86 for <ietf-http-wg@w3.org>; Sat, 20 Apr 2013 00:07:39 -0400 (EDT)
From: Mark Nottingham <mnot@mnot.net>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Message-Id: <2118F2B3-643F-4D2E-85E9-60988EF6C839@mnot.net>
Date: Sat, 20 Apr 2013 14:07:39 +1000
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
X-Mailer: Apple Mail (2.1503)
Received-SPF: pass client-ip=216.86.168.183; envelope-from=mnot@mnot.net; helo=mxout-08.mxes.net
X-W3C-Hub-Spam-Status: No, score=-3.3
X-W3C-Hub-Spam-Report: AWL=-3.310, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1UTP5l-0005mX-Dj b0267badea3b767c12fa385ec40e7f0b
X-Original-To: ietf-http-wg@w3.org
Subject: p1: handling obs-fold
Archived-At: <http://www.w3.org/mid/2118F2B3-643F-4D2E-85E9-60988EF6C839@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17374
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
p1 3.2.4 defines requirements for handling obs-fold: > When an obs-fold is received in a message, recipients MUST do one of: > > • accept the message and replace any embedded obs-fold whitespace with either a single SP or a matching number of SP octets (to avoid buffer copying) prior to interpreting the field value or forwarding the message downstream; > • if it is a request, reject the message by sending a 400 (Bad Request) response with a representation explaining that obsolete line folding is unacceptable; or, > • if it is a response, discard the message and generate a 502 (Bad Gateway) response with a representation explaining that unacceptable line folding was received. > > Recipients that choose not to implement obs-fold processing (as described above) MUST NOT accept messages containing header fields with leading whitespace, as this can expose them to attacks that exploit this difference in processing. This seems to repeat itself; what is the difference between choosing to reject the request in the manner described in the last two bullet points, and not accepting the message? I think that the last sentence can be removed. -- Mark Nottingham http://www.mnot.net/
- p1: handling obs-fold Mark Nottingham
- Re: p1: handling obs-fold Willy Tarreau
- Re: p1: handling obs-fold Mark Nottingham
- Re: p1: handling obs-fold Amos Jeffries
- Re: p1: handling obs-fold Roy T. Fielding