https://issues.apache.org/bugzilla/show_bug.cgi?id=45180
--- Comment #5 from Julian Reschke <[EMAIL PROTECTED]> 2008-06-11 23:25:25 PST --- >It is actually quite illegal to have \r (carriage return) \n (newline) inside >of a HTTP 1.1 Header Value. If any HTTP server allows CLRF inside of a header >value, ... In general that's incorrect. CRLF is allowed as part of LWS (linear white space). > ... it can and will lead to HTTP Response Splitting Attacks. That may be true, but doesn't affect what's legal or not. If you think the HTTP spec should disallow CRLFs in header values, then better join the httpbis working group and argue the case over there. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
