Context Navigation

← Previous Change
Next Change →

p1-messaging.xml

Timestamp:

09/08/11 00:46:19 (10 years ago)

Author:

fielding@…

Message:

Reorganize and clarify the sections on message header parsing.

File:

: 1 edited

draft-ietf-httpbis/latest/p1-messaging.xml (modified) (10 diffs)

Legend:

: Unmodified
: Added
: Removed

draft-ietf-httpbis/latest/p1-messaging.xml

-                      r1392
+                      r1393
                  ; see <xref target="header.fields"/>
 </artwork></figure>
+<t anchor="rule.token.separators">
+  <x:anchor-alias value="tchar"/>
+  <x:anchor-alias value="token"/>
+  <x:anchor-alias value="special"/>
+  <x:anchor-alias value="word"/>
+   Many HTTP/1.1 header field values consist of words (token or quoted-string)
+   separated by whitespace or special characters. These special characters
+   &MUST; be in a quoted string to be used within a parameter value (as defined
+   in <xref target="transfer.codings"/>).
+</t>
+<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="word"/><iref primary="true" item="Grammar" subitem="token"/><iref primary="true" item="Grammar" subitem="tchar"/><iref primary="true" item="Grammar" subitem="special"/>
+  <x:ref>word</x:ref>           = <x:ref>token</x:ref> / <x:ref>quoted-string</x:ref>
+  <x:ref>token</x:ref>          = 1*<x:ref>tchar</x:ref>
+<!--
+  IMPORTANT: when editing "tchar" make sure that "special" is updated accordingly!!!
+ -->
+  <x:ref>tchar</x:ref>          = "!" / "#" / "$" / "%" / "&amp;" / "'" / "*"
+                 / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
+                 / <x:ref>DIGIT</x:ref> / <x:ref>ALPHA</x:ref>
+                 ; any <x:ref>VCHAR</x:ref>, except <x:ref>special</x:ref>
+  <x:ref>special</x:ref>        = "(" / ")" / "&lt;" / ">" / "@" / ","
+                 / ";" / ":" / "\" / DQUOTE / "/" / "["
+                 / "]" / "?" / "=" / "{" / "}"
+</artwork></figure>
+<t anchor="rule.quoted-string">
+  <x:anchor-alias value="quoted-string"/>
+  <x:anchor-alias value="qdtext"/>
+  <x:anchor-alias value="obs-text"/>
+   A string of text is parsed as a single word if it is quoted using
+   double-quote marks.
+</t>
+<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="quoted-string"/><iref primary="true" item="Grammar" subitem="qdtext"/><iref primary="true" item="Grammar" subitem="obs-text"/>
+  <x:ref>quoted-string</x:ref>  = <x:ref>DQUOTE</x:ref> *( <x:ref>qdtext</x:ref> / <x:ref>quoted-pair</x:ref> ) <x:ref>DQUOTE</x:ref>
+  <x:ref>qdtext</x:ref>         = <x:ref>OWS</x:ref> / %x21 / %x23-5B / %x5D-7E / <x:ref>obs-text</x:ref>
+                 ; <x:ref>OWS</x:ref> / &lt;<x:ref>VCHAR</x:ref> except <x:ref>DQUOTE</x:ref> and "\"&gt; / <x:ref>obs-text</x:ref>
+  <x:ref>obs-text</x:ref>       = %x80-FF
+</artwork></figure>
+<t anchor="rule.quoted-pair">
+  <x:anchor-alias value="quoted-pair"/>
+   The backslash octet ("\") can be used as a single-octet
+   quoting mechanism within quoted-string constructs:
+</t>
+<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="quoted-pair"/>
+  <x:ref>quoted-pair</x:ref>    = "\" ( <x:ref>WSP</x:ref> / <x:ref>VCHAR</x:ref> / <x:ref>obs-text</x:ref> )
+</artwork></figure>
+<t>
+   Recipients that process the value of the quoted-string &MUST; handle a
+   quoted-pair as if it were replaced by the octet following the backslash.
+</t>
+<t>
+   Senders &SHOULD-NOT; escape octets that do not require escaping
+   (i.e., other than DQUOTE and the backslash octet).
+</t>
+</section>
+</section>
 </section>
 </section>
 …
 </t>
+<section title="Message Parsing Robustness" anchor="message.robustness">
+<section title="Message Parsing and Robustness" anchor="message.robustness">
+<t>
+   The normal procedure for parsing an HTTP message is to read the
+   start-line into a structure, read each header field into a hash
+   table by field name until the empty line, and then use the parsed
+   data to determine if a message-body is expected.  If a message-body
+   has been indicated, then it is read as a stream until an amount
+   of octets equal to the message-body length is read or the connection
+   is closed.
+</t>
+<t>
+   Care must be taken to parse an HTTP message as a sequence
+   of octets in an encoding that is a superset of US-ASCII.  Attempting
+   to parse HTTP as a stream of Unicode characters in a character encoding
+   like UTF-16 might introduce security flaws due to the differing ways
+   that such parsers interpret invalid characters.
+</t>
+<t>
+   Older HTTP/1.0 client implementations might send an extra CRLF
+   after a POST request as a lame workaround for some early server
+   applications that failed to read message-body content that was
+   not terminated by a line-ending. An HTTP/1.1 client &MUST-NOT;
+   preface or follow a request with an extra CRLF.  If terminating
+   the request message-body with a line-ending is desired, then the
+   client &MUST; include the terminating CRLF octets as part of the
+   message-body length.
+</t>
 <t>
    In the interest of robustness, servers &SHOULD; ignore at least one
 …
 </t>
 <t>
-   Some old HTTP/1.0 client implementations send an extra CRLF
-   after a POST request as a lame workaround for some early server
-   applications that failed to read message-body content that was
-   not terminated by a line-ending. An HTTP/1.1 client &MUST-NOT;
-   preface or follow a request with an extra CRLF.  If terminating
-   the request message-body with a line-ending is desired, then the
-   client &MUST; include the terminating CRLF octets as part of the
-   message-body length.
-</t>
-<t>
    When a server listening only for HTTP request messages, or processing
    what appears from the start-line to be an HTTP request message,
 …
    grammar aside from the robustness exceptions listed above, the
    server &MUST; respond with an HTTP/1.1 400 (Bad Request) response.
-</t>
-<t>
-   The normal procedure for parsing an HTTP message is to read the
-   start-line into a structure, read each header field into a hash
-   table by field name until the empty line, and then use the parsed
-   data to determine if a message-body is expected.  If a message-body
-   has been indicated, then it is read as a stream until an amount
-   of octets equal to the message-body length is read or the connection
-   is closed.  Care must be taken to parse an HTTP message as a sequence
-   of octets in an encoding that is a superset of US-ASCII.  Attempting
-   to parse HTTP as a stream of Unicode characters in a character encoding
-   like UTF-16 might introduce security flaws due to the differing ways
-   that such parsers interpret invalid characters.
-</t>
-<t>
-   HTTP allows the set of defined header fields to be extended without
-   changing the protocol version (see <xref target="header.field.registration"/>).
-   Unrecognized header fields &MUST; be forwarded by a proxy unless the
-   proxy is specifically configured to block or otherwise transform such
-   fields.  Unrecognized header fields &SHOULD; be ignored by other recipients.
 </t>
 </section>
 …
 </artwork></figure>
 <t>
+   No whitespace is allowed between the header field name and colon. For
+   security reasons, any request message received containing such whitespace
+   &MUST; be rejected with a response code of 400 (Bad Request). A proxy
+   &MUST; remove any such whitespace from a response message before
+   forwarding the message downstream.
+</t>
+<t>
+   A field value &MAY; be preceded by optional whitespace (OWS); a single SP is
+   preferred. The field value does not include any leading or trailing white
+   space: OWS occurring before the first non-whitespace octet of the
+   field value or after the last non-whitespace octet of the field value
+   is ignored and &SHOULD; be removed before further processing (as this does
+   not change the meaning of the header field).
+   The field-name token labels the corresponding field-value as having the
+   semantics defined by that header field.  For example, the Date header field
+   is defined in <xref target="header.date"/> as containing the origination
+   timestamp for the message in which it appears.
+</t>
+<t>
+   HTTP header fields are fully extensible: there is no limit on the
+   introduction of new field names, each presumably defining new semantics,
+   or on the number of header fields used in a given message.  Existing
+   fields are defined in each part of this specification and in many other
+   specifications outside the standards process.
+   New header fields can be introduced without changing the protocol version
+   if their defined semantics allow them to be safely ignored by recipients
+   that do not recognize them.
+</t>
+<t>
+   New HTTP header fields &SHOULD; be registered with IANA according
+   to the procedures in <xref target="header.field.registration"/>.
+   Unrecognized header fields &MUST; be forwarded by a proxy unless the
+   field-name is listed in the Connection header field
+   (<xref target="header.connection"/>) or the proxy is specifically
+   configured to block or otherwise transform such fields.
+   Unrecognized header fields &SHOULD; be ignored by other recipients.
 </t>
 <t>
 …
   </t>
 </x:note>
+<section title="Field Parsing" anchor="field.parsing">
+<t>
+   No whitespace is allowed between the header field-name and colon.
+   In the past, differences in the handling of such whitespace have led to
+   security vulnerabilities in request routing and response handling.
+   Any received request message that contains whitespace between a header
+   field-name and colon &MUST; be rejected with a response code of 400
+   (Bad Request).  A proxy &MUST; remove any such whitespace from a response
+   message before forwarding the message downstream.
+</t>
+<t>
+   A field value &MAY; be preceded by optional whitespace (OWS); a single SP is
+   preferred. The field value does not include any leading or trailing white
+   space: OWS occurring before the first non-whitespace octet of the
+   field value or after the last non-whitespace octet of the field value
+   is ignored and &SHOULD; be removed before further processing (as this does
+   not change the meaning of the header field).
+</t>
 <t>
    Historically, HTTP header field values could be extended over multiple
 …
    folding except within the message/http media type
    (<xref target="internet.media.type.message.http"/>).
    HTTP/1.1 senders &MUST-NOT; produce messages that include line folding
+   HTTP senders &MUST-NOT; produce messages that include line folding
    (i.e., that contain any field-content that matches the obs-fold rule) unless
    the message is intended for packaging within the message/http media type.
+   HTTP/1.1 recipients &SHOULD; accept line folding and replace any embedded
+   obs-fold whitespace with a single SP prior to interpreting the field value
+   or forwarding the message downstream.
+   HTTP recipients &SHOULD; accept line folding and replace any embedded
+   obs-fold whitespace with either a single SP or a matching number of SP
+   octets (to avoid buffer copying) prior to interpreting the field value or
+   forwarding the message downstream.
 </t>
 <t>
 …
    opaque data.
 </t>
+</section>
+<section title="Field Length" anchor="field.length">
+<t>
+   HTTP does not place a pre-defined limit on the length of header fields,
+   either in isolation or as a set. A server &MUST; be prepared to receive
+   request header fields of unbounded length and respond with a 4xx status
+   code if the received header field(s) would be longer than the server wishes
+   to handle.
+</t>
+<t>
+   A client that receives response headers that are longer than it wishes to
+   handle can only treat it as a server error.
+</t>
+<t>
+   Various ad-hoc limitations on header length are found in practice. It is
+   &RECOMMENDED; that all HTTP senders and recipients support messages whose
+   combined header fields have 4000 or more octets.
+</t>
+</section>
+<section title="Common Field ABNF Rules" anchor="field.rules">
+<t anchor="rule.token.separators">
+  <x:anchor-alias value="tchar"/>
+  <x:anchor-alias value="token"/>
+  <x:anchor-alias value="special"/>
+  <x:anchor-alias value="word"/>
+   Many HTTP/1.1 header field values consist of words (token or quoted-string)
+   separated by whitespace or special characters. These special characters
+   &MUST; be in a quoted string to be used within a parameter value (as defined
+   in <xref target="transfer.codings"/>).
+</t>
+<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="word"/><iref primary="true" item="Grammar" subitem="token"/><iref primary="true" item="Grammar" subitem="tchar"/><iref primary="true" item="Grammar" subitem="special"/>
+  <x:ref>word</x:ref>           = <x:ref>token</x:ref> / <x:ref>quoted-string</x:ref>
+  <x:ref>token</x:ref>          = 1*<x:ref>tchar</x:ref>
+<!--
+  IMPORTANT: when editing "tchar" make sure that "special" is updated accordingly!!!
+ -->
+  <x:ref>tchar</x:ref>          = "!" / "#" / "$" / "%" / "&amp;" / "'" / "*"
+                 / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
+                 / <x:ref>DIGIT</x:ref> / <x:ref>ALPHA</x:ref>
+                 ; any <x:ref>VCHAR</x:ref>, except <x:ref>special</x:ref>
+  <x:ref>special</x:ref>        = "(" / ")" / "&lt;" / ">" / "@" / ","
+                 / ";" / ":" / "\" / DQUOTE / "/" / "["
+                 / "]" / "?" / "=" / "{" / "}"
+</artwork></figure>
+<t anchor="rule.quoted-string">
+  <x:anchor-alias value="quoted-string"/>
+  <x:anchor-alias value="qdtext"/>
+  <x:anchor-alias value="obs-text"/>
+   A string of text is parsed as a single word if it is quoted using
+   double-quote marks.
+</t>
+<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="quoted-string"/><iref primary="true" item="Grammar" subitem="qdtext"/><iref primary="true" item="Grammar" subitem="obs-text"/>
+  <x:ref>quoted-string</x:ref>  = <x:ref>DQUOTE</x:ref> *( <x:ref>qdtext</x:ref> / <x:ref>quoted-pair</x:ref> ) <x:ref>DQUOTE</x:ref>
+  <x:ref>qdtext</x:ref>         = <x:ref>OWS</x:ref> / %x21 / %x23-5B / %x5D-7E / <x:ref>obs-text</x:ref>
+  <x:ref>obs-text</x:ref>       = %x80-FF
+</artwork></figure>
+<t anchor="rule.quoted-pair">
+  <x:anchor-alias value="quoted-pair"/>
+   The backslash octet ("\") can be used as a single-octet
+   quoting mechanism within quoted-string constructs:
+</t>
+<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="quoted-pair"/>
+  <x:ref>quoted-pair</x:ref>    = "\" ( <x:ref>WSP</x:ref> / <x:ref>VCHAR</x:ref> / <x:ref>obs-text</x:ref> )
+</artwork></figure>
+<t>
+   Recipients that process the value of the quoted-string &MUST; handle a
+   quoted-pair as if it were replaced by the octet following the backslash.
+</t>
+<t>
+   Senders &SHOULD-NOT; escape octets in quoted-strings that do not require
+   escaping (i.e., other than DQUOTE and the backslash octet).
+</t>
 <t anchor="rule.comment">
   <x:anchor-alias value="comment"/>
 …
   <x:ref>comment</x:ref>        = "(" *( <x:ref>ctext</x:ref> / <x:ref>quoted-cpair</x:ref> / <x:ref>comment</x:ref> ) ")"
   <x:ref>ctext</x:ref>          = <x:ref>OWS</x:ref> / %x21-27 / %x2A-5B / %x5D-7E / <x:ref>obs-text</x:ref>
-                 ; <x:ref>OWS</x:ref> / &lt;<x:ref>VCHAR</x:ref> except "(", ")", and "\"&gt; / <x:ref>obs-text</x:ref>
 </artwork></figure>
 <t anchor="rule.quoted-cpair">
 …
 </artwork></figure>
 <t>
+   Senders &SHOULD-NOT; escape octets that do not require escaping
+   (i.e., other than the backslash octet "\" and the parentheses "(" and
+   ")").
+</t>
+<t>
+   HTTP does not place a pre-defined limit on the length of header fields,
+   either in isolation or as a set. A server &MUST; be prepared to receive
+   request header fields of unbounded length and respond with a 4xx status
+   code if the received header field(s) would be longer than the server wishes
+   to handle.
+</t>
+<t>
+   A client that receives response headers that are longer than it wishes to
+   handle can only treat it as a server error.
+</t>
+<t>
+   Various ad-hoc limitations on header length are found in practice. It is
+   &RECOMMENDED; that all HTTP senders and recipients support messages whose
+   combined header fields have 4000 or more octets.
+</t>
+   Senders &SHOULD-NOT; escape octets in comments that do not require escaping
+   (i.e., other than the backslash octet "\" and the parentheses "(" and ")").
+</t>
+</section>
 </section>

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 1393 for draft-ietf-httpbis/latest/p1-messaging.xml

Legend:

draft-ietf-httpbis/latest/p1-messaging.xml

Download in other formats: