[Owasp-leaders] Great interview with John at Gunner's blog

James Landis james.landis at owasp.org
Sat May 4 21:44:58 UTC 2013


+1


On Fri, Apr 5, 2013 at 5:50 AM, John Wilander <john.wilander at owasp.org>wrote:

> Eoin, you engage in an interesting discussion. Let's have a look at HTTP
> and strings. :)
>
> To scope things I suggest we look just at HTTP headers. Lots of good
> appsec stuff happening there. Cookies, response splitting, custom headers
> etc. What is allowed in an HTTP header? The rfc<http://www.ietf.org/rfc/rfc2616.txt>says:
>
> message-header = field-name ":" [ field-value ]
>        field-name     = token
>        field-value    = *( field-content | LWS )
>        field-content  = <the OCTETs making up the field-value
>                         and consisting of either *TEXT or combinations
>                         of token, separators, and quoted-string>
>
> token          = 1*<any CHAR except CTLs or separators>
>
> CHAR           = <any US-ASCII character (octets 0 - 127)>
>
> CTL            = <any US-ASCII control character
>                         (octets 0 - 31) and DEL (127)>
>
> separators     = "(" | ")" | "<" | ">" | "@"
>                       | "," | ";" | ":" | "\" | <">
>                       | "/" | "[" | "]" | "?" | "="
>                       | "{" | "}" | SP | HT
>
> LWS            = [CRLF] 1*( SP | HT )
>
> CRLF            = CR LF
>
> OCTET          = <any 8-bit sequence of data>
>
> TEXT           = <any OCTET except CTLs,
>                         but including LWS>
>
> So, header names can consist of ASCII chars 32-126 except 19 chars called
> separators.
>
> Then there shall be a colon.
>
> Finally the header value can consist of any ASCII chars 9, 32-126 except
> 19 chars called separators … or a mix of tokens, separators, and quoted
> strings.
>
> On top of this web servers such as Apache impose length constraints on
> headers, somewhere around 10,000 chars.
>
> Now, let's have a look at "strings".
>
> Java uses Unicode strings in UTF-16 code units which handle over 100,000
> characters. As far as I know C# and JavaScript does the same. The max size
> of strings is often limited by the max size of integers, typically 2^31 - 1
> which is just over 2 billion.
>
> Now, how can these +100,000 character-set 2 billion character long strings
> be used in an HTTP header API?
>
> Java:
> void addHeader(java.lang.String name,
>                java.lang.String value)
>
> … which in a typical implementation might look like this:
>
> public void addHeader(String name, String value) {
>   if (isCommitted())
>     return;
>
>   if (included)
>     return;     // Ignore any call from an included servlet
>
>   synchronized (headers) {
>     ArrayList values = (ArrayList) headers.get(name);
>     if (values == null) {
>       values = new ArrayList();
>       headers.put(name, values);
>     }
>     values.add(value);
>   }
> }
>
> In the JavaDoc for addHeader() in the HttpServletReponse interface you of
> course find instructions to developers:
> "If it contains octet string, it should be encoded according to RFC 2047 (
> http://www.ietf.org/rfc/rfc2047.txt)"
>
> How many developers take action on that comment? How many get it right?
> How many product owners agree to make the investment on their project?
>
> This is exactly what I mean. We still believe we need plain strings. We
> don't. Almost nothing is just "a string" in software engineering. There's
> always lexical, syntactical, and semantical restrictions. We have to start
> helping developers getting these things right.
>
> The interface should of course have been:
>
> void addHeader(javax.http.HeaderName name,
>                javax.http.HeaderValue value)
>
> … and the two domain classes HeaderName and HeaderValue should have been
> immutables which do input validation according to the rfc in their
> constructors.
>
> Agree?
>
>    Regards, John
>
>
>
>
> 2013/4/5 Eoin <eoin.keary at owasp.org>
>
>> Don't use strings??
>> That might break HTTP :)
>>
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>
>> On 5 Apr 2013, at 06:39, Dinis Cruz <dinis at ddplus.net> wrote:
>>
>> >
>> http://1raindrop.typepad.com/1_raindrop/2013/04/security-140-conversation-with-john-wilander.html
>> >
>> > Lots of great ideas and focus areas for OWASP's community :)
>> >
>> > Dinis Cruz
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
>
> --
> John Wilander, https://twitter.com/johnwilander
> Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
> Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
> My music http://www.johnwilander.com & my résumé http://johnwilander.se
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130504/28809b37/attachment.html>


More information about the OWASP-Leaders mailing list