httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <>
Subject TWS ";" LWS permitted by RFC 7230 4.1.1? Apparently, no.
Date Mon, 15 Jun 2015 16:33:31 GMT
Reviewing the spec, I cannot find where Sambar server is permitted to
insert whitespace. I further reviewed the ABNF appendix, and it does not
appear there, either.

The spec seems unambiguous;

chunk          = chunk-size [ chunk-ext ] CRLF
                 chunk-data CRLF
chunk-size     = 1*HEXDIG
last-chunk     = 1*("0") [ chunk-ext ] CRLF

There is no opportunity to use whitespace outside of chunk-ext.

chunk-ext      = *( ";" chunk-ext-name [ "=" chunk-ext-val ] )
chunk-ext-name = token
chunk-ext-val  = token / quoted-string

The rules in section 3.2.3 have become extremely strict;

3.2.3 <>.  Whitespace

   This specification uses three rules to denote the use of linear
   whitespace: OWS (optional whitespace), RWS (required whitespace), and
   BWS ("bad" whitespace).

   The OWS rule is used where zero or more linear whitespace octets
   might appear.  For protocol elements where optional whitespace is
   preferred to improve readability, a sender SHOULD generate the
   optional whitespace as a single SP; otherwise, a sender SHOULD NOT
   generate optional whitespace except as needed to white out invalid or
   unwanted protocol elements during in-place message filtering.

   The RWS rule is used when at least one linear whitespace octet is
   required to separate field tokens.  A sender SHOULD generate RWS as a
   single SP.

   The BWS rule is used where the grammar allows optional whitespace
   only for historical reasons.  A sender MUST NOT generate BWS in
   messages.  A recipient MUST parse for such bad whitespace and remove
   it before interpreting the protocol element.

And section 3.6.1 of RFC2616 made no accommodation for whitespace, in
the first place.

I think Sambar is wrong and we should not be supporting this.

If we make provision to support this, we should be disallowing

by default and add a directive to change the behavior.


View raw message