httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <>
Subject Re: svn commit: r1764961 - in /httpd/httpd/trunk: docs/manual/mod/core.xml modules/http/http_filters.c server/core.c server/gen_test_char.c server/protocol.c server/util.c
Date Mon, 17 Oct 2016 19:02:36 GMT
On Mon, Oct 17, 2016 at 1:48 PM, Roy T. Fielding <> wrote:

> On Oct 15, 2016, at 2:10 AM, William A Rowe Jr <>
> wrote:
> On Sat, Oct 15, 2016 at 3:54 AM, William A Rowe Jr <>
> wrote:
>> On Fri, Oct 14, 2016 at 4:44 PM, Roy T. Fielding <>
>> wrote:
>>> Right, though several people have requested it now as errata. Seems
>>> likely to be in the final update for STD.
>> In the HttpProtocolOptions Unsafe mode, it is tolerated.
>> Should it be the proper 'Strict' behavior to parse (never generate) such
>> noise?
> FWIW, I see very little harm in potentially unsafe chunk headers because
> it becomes a serious chore to inject between alternating \r-only vs
> \n-only
> vs space trailing chunk headers. I'm not suggesting it can't be done, but
> most requests-with-body are intrinsically not idempotent, so one must be
> extremely clever to affect cache history.
> But it isn't impossible, so if the editors follow the way of BWS vs.
> follow
> the absolute explicit statements about HTTP request field names and
> the trailing ':', I'd be somewhat disappointed. Tighten ambiguity where
> there was little ambiguity before. Make explicit the real ambiguity for
> all user-agents and servers to implement. /shrug.
> We tried.  People complained.
> In any case, BWS only includes *( SP / HTAB ).  Not much ambiguity there.

Fair enough. There is no BWS allowed at present, nor a bare CR or LF, at
point. httpd is free to respond with any action it likes.

The original and distributed behaviors allow CRLF or LF, CR followed by
than LF was disallowed. The new trunk behavior disallows a bare LF also.

The original action was *(SP / HTAB), the distributed behavior restricts
to 10 SP/HTAB characters, the new trunk behavior disallows SP / HTAB
between the final hex digit and ';' delimiter. Note that we don't support
true *(SP / HTAB) rule by limiting it very severely.

I favor leaving the new no-space-tolerance rule but will accept the group's
choices, Roy appears to concede to accepting some BWS. I guess a quick
poll is in order... opinions?

View raw message