Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Configuring option 2 of RFC 7230 paragraph 5 (HTTP header folding)

Hi,

Am 15.02.2017 um 18:35 schrieb Joakim Erdfelt:
The "message/http" content-type is typically only seen in the response body content
 to a TRACE method (which is unsupported by Jetty for security reasons).

I know but that was not the point of my mail.

It was removed from the spec specifically because it causes security issues. (header injection)

I know, I've read the bug report I mentioned in my original mail

Note: Internet Explorer, Chrome, Firefox, and most proxies do not support header folding anymore.

The other side of EDI-installations are seldom browsers but other programs
implemented in whatever programming language you can think of decades ago
and uable to be changed.

What are you trying to do is going to be increasingly more difficult as time goes
 on (not only will Jetty reject it, but so must http proxies and the like)

Not sure about proxies since that part of the RFC mandates
proxies to do the replacement to spaces at least for the response-
headers so it's logical (at least for me) to expect the same thing
to happen for the request headers.


The spec is pretty clear https://tools.ietf.org/html/rfc7230#section-3.2.4

   Historically, HTTP header field values could be extended over
   multiple lines by preceding each extra line with at least one space
   or horizontal tab (obs-fold).  This specification deprecates such
   line folding except within the message/http media type
   (Section 8.3.1 <https://tools.ietf.org/html/rfc7230#section-8.3.1>).  A sender MUST NOT generate a message that includes
   line folding (i.e., that has any field-value that contains a match to
   the obs-fold rule) unless the message is intended for packaging
   within the message/http media type.

You ignored the subsequent paragraph I explicitly quoted to make my point:

A server that receives an obs-fold in a request message that is not
   within a message/http container MUST either reject the message by
   sending a 400 (Bad Request), preferably with a representation
   explaining that obsolete line folding is unacceptable, or replace
   each received obs-fold with one or more SP octets prior to
   interpreting the field value or forwarding the message downstream.

Your clients MUST NOT send folded http headers.

My (HTTP-)clients don't do that but the clients of others that communicate
with my server. I have no control over these and they are sending
important stuff that escalate quicker than you can say "just in
time deliveries are going to be delayed" if the server stops accepting
it due to this issue.

It is highly unlikely that Jetty will reintroduce header folding.
You'll have to make a very good (security minded) case for it.

My case is "Real Life" and since replacing newlines by spaces is
explicitly mentioned in the RFC as legal I need to go this way
to keep my sanity when shipping a release with Jetty 9.3 "underneath".


Thanks and cheers, Lothar


Back to the top