https://issues.apache.org/bugzilla/show_bug.cgi?id=45180
--- Comment #4 from Jim Manico <[EMAIL PROTECTED]> 2008-06-11 17:36:39 PST --- It is actually quite illegal to have \r (carriage return) \n (newline) inside of a HTTP 1.1 Header Value. If any HTTP server allows CLRF inside of a header value, it can and will lead to HTTP Response Splitting Attacks. http://en.wikipedia.org/wiki/HTTP_response_splitting http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2 defines a field value to be of the following form. LWS is whitespace, so we are really concerned about field-content in the spec. field-value = *( field-content | LWS ) field-content = <the OCTETs making up the field-value and consisting of either *TEXT or combinations of token, separators, and quoted-string> That leads us to http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2 as Mark pointed out. TEXT and TOKEN explicitly disallows \r\n: token = 1*<any CHAR except CTLs or separators> TEXT = <any OCTET except CTLs, but including LWS> Where CTL's are defined as: CTL = <any US-ASCII control character (octets 0 - 31) and DEL (127)> Separators are different from CTL's. That leads us to quoted-strings quoted-string = ( <"> *(qdtext | quoted-pair ) <"> ) Whose elements are defined as: qdtext = <any TEXT except <">> The backslash character ("\") MAY be used as a single-character quoting mechanism only within quoted-string and comment constructs. quoted-pair = "\" CHAR Ah, so rtf 2616 DID allow \r\n in header values you might say - but changeset 238 http://www3.tools.ietf.org/wg/httpbis/trac/changeset/238 amended rfc 2616 to disallow quoted-pair escaping of NUL, CR and LF. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
