Re: TWS ";" LWS permitted by RFC 7230 4.1.1? Apparently, no.

Mon, 15 Jun 2015 10:01:25 -0700 

On Mon, Jun 15, 2015 at 12:33 PM, William A Rowe Jr <wr...@rowe-clan.net>
wrote:

> Reviewing the spec, I cannot find where Sambar server is permitted to
> insert whitespace. I further reviewed the ABNF appendix, and it does not
> appear there, either.
>
> The spec seems unambiguous;
>
> chunk          = chunk-size [ chunk-ext ] CRLF
>                  chunk-data CRLF
> chunk-size     = 1*HEXDIG
> last-chunk     = 1*("0") [ chunk-ext ] CRLF
>
>
> There is no opportunity to use whitespace outside of chunk-ext.
>
>
> chunk-ext      = *( ";" chunk-ext-name [ "=" chunk-ext-val ] )
> chunk-ext-name = token
> chunk-ext-val  = token / quoted-string
>
>
> The rules in section 3.2.3 have become extremely strict;
>
>
> 3.2.3 <https://tools.ietf.org/html/rfc7230#section-3.2.3>.  Whitespace
>
>    This specification uses three rules to denote the use of linear
>    whitespace: OWS (optional whitespace), RWS (required whitespace), and
>    BWS ("bad" whitespace).
>
>    The OWS rule is used where zero or more linear whitespace octets
>    might appear.  For protocol elements where optional whitespace is
>    preferred to improve readability, a sender SHOULD generate the
>    optional whitespace as a single SP; otherwise, a sender SHOULD NOT
>    generate optional whitespace except as needed to white out invalid or
>    unwanted protocol elements during in-place message filtering.
>
>    The RWS rule is used when at least one linear whitespace octet is
>    required to separate field tokens.  A sender SHOULD generate RWS as a
>    single SP.
>
>    The BWS rule is used where the grammar allows optional whitespace
>    only for historical reasons.  A sender MUST NOT generate BWS in
>    messages.  A recipient MUST parse for such bad whitespace and remove
>    it before interpreting the protocol element.
>
>
> And section 3.6.1 of RFC2616 made no accommodation for whitespace, in the 
> first place.
>
>
> I think Sambar is wrong and we should not be supporting this.
>
>
> If we make provision to support this, we should be disallowing
>
> by default and add a directive to change the behavior.
>
>
> Thoughts?
>
>
1.3 (or 1.3-based servers) put whitespace there.
1.3.x, 2.0.x, 2.2.x, and 2.4.x (for all released x so far) accepts
whitespace there.
We can't change that by default in a stable branch.

This could be perhaps implemented in conjunction with sf's HttpStrict (?)
stuff in trunk (I have no clue what that does in practice, but it sounds
right).


-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Reply via email to