Re: HTTP REQUEST_METHOD flaw

From: Henrik Nordstrom (hnoat_private)
Date: Thu Jan 07 1999 - 18:19:23 PST

Next message: Jonathan A. Zdziarski: "Re: HTTP REQUEST_METHOD flaw"

Previous message: Christopher Masto: "Re: HTTP REQUEST_METHOD flaw"
Maybe in reply to: mnemonix: "HTTP REQUEST_METHOD flaw"
Next in thread: Jonathan A. Zdziarski: "Re: HTTP REQUEST_METHOD flaw"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sevo Stille wrote:

> > Even Control characters are allowed. Consider the following:
> >
> >  ^H^H^H^H^H^H^H^H^H lots of these ^H^H /cgi-bin/environ.cgi HTTP/1.1
> >
>
> Of course control chars are and must be allowed - CGI is defined to be
> transparent towards the application. For a request satisfied by the
> server, the server would have to (and at any rate apache does) return a
> 501 method not implemented error, according to the specs, par. 5.1.1.
1

Not really. RFC 2068 defines method as a token, which is "1*<any CHAR
except CTLs or tspecials>" so the above may be rejected with a "400 Bad
Request" reply as it is not valid HTTP syntax.

HTTP puts restrictions on wich characters that are allowable in all
parts of the protocol except the message body.

---
Henrik Nordstrom

Next message: Jonathan A. Zdziarski: "Re: HTTP REQUEST_METHOD flaw"
Previous message: Christopher Masto: "Re: HTTP REQUEST_METHOD flaw"
Maybe in reply to: mnemonix: "HTTP REQUEST_METHOD flaw"
Next in thread: Jonathan A. Zdziarski: "Re: HTTP REQUEST_METHOD flaw"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:28:01 PDT