Bugtraq mailing list archives

Re: HTTP REQUEST_METHOD flaw

From: hno () HEM PASSAGEN SE (Henrik Nordstrom)
Date: Fri, 8 Jan 1999 03:19:23 +0100


Sevo Stille wrote:

Even Control characters are allowed. Consider the following:

 ^H^H^H^H^H^H^H^H^H lots of these ^H^H /cgi-bin/environ.cgi HTTP/1.1


Of course control chars are and must be allowed - CGI is defined to be
transparent towards the application. For a request satisfied by the
server, the server would have to (and at any rate apache does) return a
501 method not implemented error, according to the specs, par. 5.1.1.

1

Not really. RFC 2068 defines method as a token, which is "1*<any CHAR
except CTLs or tspecials>" so the above may be rejected with a "400 Bad
Request" reply as it is not valid HTTP syntax.

HTTP puts restrictions on wich characters that are allowable in all
parts of the protocol except the message body.

---
Henrik Nordstrom

Current thread:

Re: HTTP REQUEST_METHOD flaw Sevo Stille (Jan 06)
- Re: HTTP REQUEST_METHOD flaw Christopher Masto (Jan 07)
- Re: HTTP REQUEST_METHOD flaw Jonathan A. Zdziarski (Jan 07)
  - Re: HTTP REQUEST_METHOD flaw Kenneth Albanowski (Jan 08)
- <Possible follow-ups>
- Re: HTTP REQUEST_METHOD flaw Henrik Nordstrom (Jan 07)
- Re: HTTP REQUEST_METHOD flaw Ben Laurie (Jan 08)