https://issues.apache.org/bugzilla/show_bug.cgi?id=45180
--- Comment #4 from Jim Manico <jim@manico.net> 2008-06-11 17:36:39 PST ---
It is actually quite illegal to have \r (carriage return) \n (newline) inside
of a HTTP 1.1 Header Value. If any HTTP server allows CLRF inside of a header
value, it can and will lead to HTTP Response Splitting Attacks.
http://en.wikipedia.org/wiki/HTTP_response_splitting
http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
defines a field value to be of the following form. LWS is whitespace, so we are
really concerned about field-content in the spec.
field-value = *( field-content | LWS )
field-content = <the OCTETs making up the field-value
and consisting of either *TEXT or combinations
of token, separators, and quoted-string>
That leads us to http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2
as Mark pointed out. TEXT and TOKEN explicitly disallows \r\n:
token = 1*<any CHAR except CTLs or separators>
TEXT = <any OCTET except CTLs,
but including LWS>
Where CTL's are defined as:
CTL = <any US-ASCII control character
(octets 0 - 31) and DEL (127)>
Separators are different from CTL's.
That leads us to quoted-strings
quoted-string = ( <"> *(qdtext | quoted-pair ) <"> )
Whose elements are defined as:
qdtext = <any TEXT except <">>
The backslash character ("\") MAY be used as a single-character quoting
mechanism only within quoted-string and comment constructs.
quoted-pair = "\" CHAR
Ah, so rtf 2616 DID allow \r\n in header values you might say - but changeset
238 http://www3.tools.ietf.org/wg/httpbis/trac/changeset/238 amended rfc 2616
to disallow quoted-pair escaping of NUL, CR and LF.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
|