httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jacob Champion <champio...@gmail.com>
Subject Re: svn commit: r1754548 - /httpd/httpd/trunk/server/protocol.c
Date Wed, 03 Aug 2016 18:44:33 GMT
On 07/31/2016 09:18 AM, William A Rowe Jr wrote:
>> So all the trailing SP/HTAB are part of obs-fold IMHO.
>> Should we replace all of them (plus the CRLF) with a single SP or with
>> as many SP?
>
> Hmmm... Good point. Advancing over them in our HTTP_STRICT mode seems
> best, if we have a consensus on this.

Agreed that we should process all the obs-fold whitespace, and not just 
one byte.

Replacing each byte with a separate space (as opposed to condensing into 
a single space) *might* help prevent adversaries from playing games with 
header length checks in more complicated/layered systems. That's 
probably a stretch though. And if we consume the CRLF in a different 
layer of logic, adding on two spaces just to keep everything 
"consistent" may also be a stretch. I'm not feeling strongly either way.

 >> > So the obs-fold itself consists of CR LF [ SP | TAB ]
 >>
 >>    obs-fold = CRLF 1*( SP / HTAB )
 >>

Note that this section of the spec has Errata associated with it; I'm 
reading through the conversation [1] and it's seeming like they *may* 
want to treat OWS preceding the CRLF as part of the obs-fold as well. I 
don't know what our position is on adopting pieces of Errata that have 
been Held for Document Update.

--Jacob

[1] https://www.ietf.org/mail-archive/web/httpbisa/current/msg23721.html

Mime
View raw message