Bugtraq mailing list archives
Re: HTTP REQUEST_METHOD flaw
From: hno () HEM PASSAGEN SE (Henrik Nordstrom)
Date: Fri, 8 Jan 1999 03:19:23 +0100
Sevo Stille wrote:
Even Control characters are allowed. Consider the following: ^H^H^H^H^H^H^H^H^H lots of these ^H^H /cgi-bin/environ.cgi HTTP/1.1Of course control chars are and must be allowed - CGI is defined to be transparent towards the application. For a request satisfied by the server, the server would have to (and at any rate apache does) return a 501 method not implemented error, according to the specs, par. 5.1.1.
1 Not really. RFC 2068 defines method as a token, which is "1*<any CHAR except CTLs or tspecials>" so the above may be rejected with a "400 Bad Request" reply as it is not valid HTTP syntax. HTTP puts restrictions on wich characters that are allowable in all parts of the protocol except the message body. --- Henrik Nordstrom
Current thread:
- Re: HTTP REQUEST_METHOD flaw Sevo Stille (Jan 06)
- Re: HTTP REQUEST_METHOD flaw Christopher Masto (Jan 07)
- Re: HTTP REQUEST_METHOD flaw Jonathan A. Zdziarski (Jan 07)
- Re: HTTP REQUEST_METHOD flaw Kenneth Albanowski (Jan 08)
- <Possible follow-ups>
- Re: HTTP REQUEST_METHOD flaw Henrik Nordstrom (Jan 07)
- Re: HTTP REQUEST_METHOD flaw Ben Laurie (Jan 08)