[langsec-discuss] secure parser differential advice from "Tangled Web"

Daira Hopwood daira at jacaranda.org
Thu Jan 15 16:09:30 UTC 2015


On 13/01/15 06:09, Nils Dagsson Moskopp wrote:
> Repeated header lines in HTTP are only allowed if they can be combined
> as a legitimate comma-separated list value. See RFC 7320, Section 3.2.2:
> 
>> A sender MUST NOT generate multiple header fields with the same field
>> name in a message unless either the entire field value for that
>> header field is defined as a comma-separated list [i.e., #(values)]
>> or the header field is a well-known exception (as noted below).
> 
> <https://tools.ietf.org/html/rfc7230#section-3.2.2>

This isn't sufficient because it doesn't say how a parser should interpret
noncompliant repeated header fields; only that a sender must not generate
them.

-- 
Daira Hopwood ⚥

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <https://mail.langsec.org/pipermail/langsec-discuss/attachments/20150115/f47dc90f/attachment.sig>


More information about the langsec-discuss mailing list