One of the things I found when I turned this on in production was a Microsoft
product that was using some custom HTTP methods: CCM_POST and BITS_POST. I'd
say add underscore to this as well, maybe even hyphen.
If we want to take this further, the HTTP/1.1 and HTTP/1.0 RFCs say that the
request method must be a token. Tokens are defined as:
> token = 1*<any CHAR except CTLs or separators>
> separators = "(" | ")" | "<" | ">" | "@"
> | "," | ";" | ":" | "\" | <">
> | "/" | "[" | "]" | "?" | "="
> | "{" | "}" | SP | HT
Thoughts?
--Vlad
On Dec 5, 2012, at 7:57 PM, Robin Sommer <[email protected]>
wrote:
> commit 57510464a1c100f174382daa48934f2404762f3d
> Author: Robin Sommer <[email protected]>
> Date: Wed Dec 5 16:44:04 2012 -0800
>
> Adapting the HTTP request line parsing to only accept methods
> consisting of letters [A-Za-z].
>
> I had some bogus HTTP sessions now with the test-suite that reported
> data as HTTP because it started with "<!... ". Requiring letters seems
> a reasonable constraint.
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
