Opened 6 years ago

Closed 6 years ago

#444 closed editorial (incorporated)

obs-fold language

Reported by: mnot@… Owned by: draft-ietf-httpbis-p1-messaging@…
Priority: normal Milestone: 23
Component: p1-messaging Severity: In WG Last Call
Keywords: Cc:

Description

p1 3.2.4 defines requirements for handling obs-fold:

When an obs-fold is received in a message, recipients MUST do one of:

  • accept the message and replace any embedded obs-fold whitespace with either a single SP or a matching number of SP octets (to avoid buffer copying) prior to interpreting the field value or forwarding the message downstream;
  • if it is a request, reject the message by sending a 400 (Bad Request) response with a representation explaining that obsolete line folding is unacceptable; or,
  • if it is a response, discard the message and generate a 502 (Bad Gateway) response with a representation explaining that unacceptable line folding was received.

Recipients that choose not to implement obs-fold processing (as described above) MUST NOT accept messages containing header fields with leading whitespace, as this can expose them to attacks that exploit this difference in processing.

This seems to repeat itself; what is the difference between choosing to reject the request in the manner described in the last two bullet points, and not accepting the message?

Change History (3)

comment:1 Changed 6 years ago by mnot@…

Suggestion from Willy:

Maybe this confusing sentence should be removed and replaced with something like this before the block you quoted :

Presence of a space or tab character at the beginning of a line must not be taken as a new header field but as the continuation of previous header field (obs-fold). As such it cannot happen on the first header field.

comment:2 Changed 6 years ago by fielding@…

From [2260]:

(editorial) Replace the confusing list of bullets for obs-fold handling with separate paragraphs for each type of recipient; Move the requirements for invalid fold space before the first header field into the section that defines the corresponding ABNF; addresses #444

comment:3 Changed 6 years ago by fielding@…

  • Milestone changed from unassigned to 23
  • Resolution set to incorporated
  • Status changed from new to closed

The suggestion from Willy refers to different requirements in another section. The confusion was due to the prior changes to obs-fold handling being expressed as a list of bullets, even though the requirements require distinct handling from servers, proxies, and user agents.

Note: See TracTickets for help on using tickets.