tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 45180] CRLF Newline characters stripped from header values
Date Thu, 12 Jun 2008 00:36:41 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=45180





--- Comment #4 from Jim Manico <jim@manico.net>  2008-06-11 17:36:39 PST ---
It is actually quite illegal to have \r (carriage return) \n (newline) inside
of a HTTP 1.1 Header Value. If any HTTP server allows CLRF inside of a header
value, it can and will lead to HTTP Response Splitting Attacks.
http://en.wikipedia.org/wiki/HTTP_response_splitting

http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2

defines a field value to be of the following form. LWS is whitespace, so we are
really concerned about field-content in the spec.

field-value    = *( field-content | LWS )
field-content  = <the OCTETs making up the field-value
                        and consisting of either *TEXT or combinations
                        of token, separators, and quoted-string>

That leads us to http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2
as Mark pointed out. TEXT and TOKEN explicitly disallows \r\n:

       token          = 1*<any CHAR except CTLs or separators>
       TEXT           = <any OCTET except CTLs,
                        but including LWS>

Where CTL's are defined as:

       CTL            = <any US-ASCII control character
                        (octets 0 - 31) and DEL (127)>

Separators are different from CTL's. 

That leads us to quoted-strings

      quoted-string  = ( <"> *(qdtext | quoted-pair ) <"> )

Whose elements are defined as:

       qdtext         = <any TEXT except <">>

The backslash character ("\") MAY be used as a single-character quoting
mechanism only within quoted-string and comment constructs.

       quoted-pair    = "\" CHAR

Ah, so rtf 2616 DID allow \r\n in header values you might say - but changeset
238 http://www3.tools.ietf.org/wg/httpbis/trac/changeset/238 amended rfc 2616
to disallow quoted-pair escaping of NUL, CR and LF. 


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message