Why "Protocol Violation" is not tolerated by HttpWebRequest by default?

M

Morgan Cheng

I have a crawler in C#. The main functionality relies on HttpWebRequest
and HttpWebResponse. It shows that some webpages are not downloaded
successfully. A WebException is thrown with info "exception happens:
The server committed a protocol violation. Section=ResponseHeader
Detail=CR must be followed by LF".

I know that HTTP requires headers seperated by CRLF, but it also
recommend UserAgent implementation to tolerate CR-only and LF-only
message. It is said that it is risky for user-agent to tolerate CR-only
or LF-only, but what is the security-hole? Which kind of attach can
takes advantage of that?
 
K

ktrvnbq02

Morgan said:
I know that HTTP requires headers seperated by CRLF, but it also
recommend UserAgent implementation to tolerate CR-only and LF-only
message. It is said that it is risky for user-agent to tolerate CR-only
or LF-only, but what is the security-hole? Which kind of attach can
takes advantage of that?
Click to expand...

This is probably related to HTTP Response Splitting and similar
attacks:

http://en.wikipedia.org/wiki/HTTP_response_splitting


regards,

Matt
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Please help! HTTP protocol violation error using HttpWebRequest 7
protocol violation - httpwebrequest 1
The server committed a protocol violation 0
HTTPWebRequest - GetResponse throws exception 2
HttpWebRequest POST result is not the same as POST via ServerXMLHT 1

Top