tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 45180] CRLF Newline characters stripped from header values
Date Thu, 12 Jun 2008 00:36:41 GMT

--- Comment #4 from Jim Manico <>  2008-06-11 17:36:39 PST ---
It is actually quite illegal to have \r (carriage return) \n (newline) inside
of a HTTP 1.1 Header Value. If any HTTP server allows CLRF inside of a header
value, it can and will lead to HTTP Response Splitting Attacks.

defines a field value to be of the following form. LWS is whitespace, so we are
really concerned about field-content in the spec.

field-value    = *( field-content | LWS )
field-content  = <the OCTETs making up the field-value
                        and consisting of either *TEXT or combinations
                        of token, separators, and quoted-string>

That leads us to
as Mark pointed out. TEXT and TOKEN explicitly disallows \r\n:

       token          = 1*<any CHAR except CTLs or separators>
       TEXT           = <any OCTET except CTLs,
                        but including LWS>

Where CTL's are defined as:

       CTL            = <any US-ASCII control character
                        (octets 0 - 31) and DEL (127)>

Separators are different from CTL's. 

That leads us to quoted-strings

      quoted-string  = ( <"> *(qdtext | quoted-pair ) <"> )

Whose elements are defined as:

       qdtext         = <any TEXT except <">>

The backslash character ("\") MAY be used as a single-character quoting
mechanism only within quoted-string and comment constructs.

       quoted-pair    = "\" CHAR

Ah, so rtf 2616 DID allow \r\n in header values you might say - but changeset
238 amended rfc 2616
to disallow quoted-pair escaping of NUL, CR and LF. 

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message