21/01/13 06:20:05 (8 years ago)

Allow recipients to reject obsolete line folding; addresses #409

1 edited


  • draft-ietf-httpbis/latest/p1-messaging.xml

    r2116 r2146  
    13051305   Historically, HTTP header field values could be extended over multiple
    13061306   lines by preceding each extra line with at least one space or horizontal
    1307    tab (obs-fold). This specification deprecates such line
    1308    folding except within the message/http media type
     1307   tab (obs-fold). This specification deprecates such line folding except
     1308   within the message/http media type
    13091309   (<xref target="internet.media.type.message.http"/>).
    13101310   Senders &MUST-NOT; generate messages that include line folding
    1311    (i.e., that contain any field-value that matches the obs-fold rule) unless
    1312    the message is intended for packaging within the message/http media type.
    1313    Recipients &MUST; accept line folding and replace any embedded
    1314    obs-fold whitespace with either a single SP or a matching number of SP
    1315    octets (to avoid buffer copying) prior to interpreting the field value or
    1316    forwarding the message downstream.
     1311   (i.e., that contain any field-value that contains a match to the
     1312   <x:ref>obs-fold</x:ref> rule) unless the message is intended for packaging
     1313   within the message/http media type. When an <x:ref>obs-fold</x:ref> is
     1314   received in a message, recipients &MUST; do one of:
     1315   <list style="symbols">
     1316      <t>accept the message and replace any embedded <x:ref>obs-fold</x:ref>
     1317         whitespace with either a single <x:ref>SP</x:ref> or a matching
     1318         number of <x:ref>SP</x:ref> octets (to avoid buffer copying) prior to
     1319         interpreting the field value or forwarding the message
     1320         downstream;</t>
     1322      <t>if it is a request, reject the message by sending a
     1323         <x:ref>400 (Bad Request)</x:ref> response with a representation
     1324         explaining that obsolete line folding is unacceptable; or,</t>
     1326      <t>if it is a response, discard the message and generate a
     1327         <x:ref>502 (Bad Gateway)</x:ref> response with a representation
     1328         explaining that unacceptable line folding was received.</t>
     1329   </list>
     1330   Recipients that choose not to implement <x:ref>obs-fold</x:ref> processing
     1331   (as described above) &MUST-NOT; accept messages containing header fields
     1332   with leading whitespace, as this can expose them to attacks that exploit
     1333   this difference in processing.
Note: See TracChangeset for help on using the changeset viewer.