| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20100927202013.GA12373@1wt.eu> Date: Mon, 27 Sep 2010 22:20:13 +0200 From: Willy Tarreau <w@....eu> To: Rick Jones <rick.jones2@...com> Cc: Herbert Xu <herbert@...dor.hengli.com.au>, netdev@...r.kernel.org Subject: Re: TCP: orphans broken by RFC 2525 #2.17 On Mon, Sep 27, 2010 at 01:08:13PM -0700, Rick Jones wrote: > Willy Tarreau wrote: > >Hi Herbert, > > > >On Mon, Sep 27, 2010 at 04:02:22PM +0800, Herbert Xu wrote: > > > >>Willy Tarreau <w@....eu> wrote: > >> > >>>Looking more closely, I noticed that in traces showing the issue, > >>>the client was sending an additional CRLF after the data in a > >>>separate packet (permitted eventhough not recommended). > >> > >>Where is this permitted? RFC2616 says: > >> > >> Certain buggy HTTP/1.0 client implementations generate > >> extra CRLF's after a POST request. To restate what is > >> explicitly forbidden by the BNF, an HTTP/1.1 client MUST > >> NOT preface or follow a request with an extra CRLF. > > > > > >And the paragraph just before says : > > > > In the interest of robustness, servers SHOULD ignore any empty > > line(s) received where a Request-Line is expected. In other words, if > > the server is reading the protocol stream at the beginning of a > > message and receives a CRLF first, it should ignore the CRLF. > > It is the HTTP server code being addressed there, not the underlying TCP > stack is it not? yes, precisely. regards, Willy -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists