[8995] in bugtraq

home help back first fref pref prev next nref lref last post

Re: HTTP REQUEST_METHOD flaw

daemon@ATHENA.MIT.EDU (Henrik Nordstrom)
Fri Jan 8 14:19:41 1999

Date: 	Fri, 8 Jan 1999 03:19:23 +0100
Reply-To: hno@HEM.PASSAGEN.SE
From: Henrik Nordstrom <hno@HEM.PASSAGEN.SE>
X-To:         sevo@inm.de
To: BUGTRAQ@NETSPACE.ORG

Sevo Stille wrote:

> > Even Control characters are allowed. Consider the following:
> >
> >  ^H^H^H^H^H^H^H^H^H lots of these ^H^H /cgi-bin/environ.cgi HTTP/1.1
> >
>
> Of course control chars are and must be allowed - CGI is defined to be
> transparent towards the application. For a request satisfied by the
> server, the server would have to (and at any rate apache does) return a
> 501 method not implemented error, according to the specs, par. 5.1.1.
1

Not really. RFC 2068 defines method as a token, which is "1*<any CHAR
except CTLs or tspecials>" so the above may be rejected with a "400 Bad
Request" reply as it is not valid HTTP syntax.

HTTP puts restrictions on wich characters that are allowable in all
parts of the protocol except the message body.

---
Henrik Nordstrom

home help back first fref pref prev next nref lref last post