[PATCH] Enforce that CR precede LF in chunk lines
Ben Kallus
benjamin.p.kallus.gr at dartmouth.edu
Thu Feb 15 00:44:22 UTC 2024
> Overall, I don't think there is a big difference here.
All I can say is that the hardest part of pulling off that type of
attack is guessing the length correctly. If you want to make that job
marginally easier, that's fine by me :)
> It won't, because "-C" is a non-portable flag provided by a
Debian-specific patch.
There is a CRLF option for nmap-ncat, openbsd netcat, and
netcat-traditional, as well as whatever nc ships with macOS. GNU
netcat doesn't support it, but it's unmaintained anyway.
> And even if it will work for some, this
will still complicate testing.
Most of the tests already use CRLF appropriately. Test cases that use
bare LF in chunks are inadvertently also testing an Nginx quirk in
addition to what they are intending to test, which is probably
undesirable.
-Ben
More information about the nginx-devel
mailing list