On 08/03/2016 11:53 AM, Roy T. Fielding wrote:
Replacing each byte with a separate space (as opposed to condensing into a single space)
*might* help prevent adversaries from playing games with header length checks in more
complicated/layered systems. That's probably a stretch though. And if we consume the CRLF
in a different layer of logic, adding on two spaces just to keep everything
"consistent" may also be a stretch. I'm not feeling strongly either way.
What the spec is trying to say is that we can either replace all those bytes
with a single SP (semantically speaking they are the same) or we we can replace
them all with a sequence of SP (still the same, but doesn't require splitting
or recomposing the buffer).
Right, I was just wondering out loud if condensing into a single space
could give anyone the chance to defeat a header length check in a
multi-layered system. It's admittedly a pretty "tinfoil hat" concern.
So the obs-fold itself consists of CR LF [ SP | TAB ]
obs-fold = CRLF 1*( SP / HTAB )
Note that this section of the spec has Errata associated with it; I'm reading
through the conversation [1] and it's seeming like they *may* want to treat OWS
preceding the CRLF as part of the obs-fold as well. I don't know what our
position is on adopting pieces of Errata that have been Held for Document
Update.
No, that is just an ABNF issue for matching purposes. We don't use it.
So if there is an HTAB directly *before* the obs-fold CRLF, we should
not try to replace with a SP?
--Jacob
