WebApp Sec mailing list archives
RE: [WEB SECURITY] Re: HTTP Parameter Pollution
From: "Martin O'Neal" <martin.oneal () corsaire com>
Date: Wed, 20 May 2009 22:51:47 +0100
I believe he means how web servers treat it. I guess it's very important for web servers to handle HPP in the same way else I would need to change the application implementation every time I change my web server which is definitely not accepted.
Well, a standard would supposedly mean selecting one or more of the possible interpretations (which in turn will logically make the other choices non-compliant). So doesn't that conflict with the previous logic; that all the options are indeed valid (and only the mismatch is the problem)? Also, in my experience, most web server APIs have both a raw interface and some kind of interpreted interface to the request. Even ignoring the specific issue being debated here, using the interpreted interfaces across platforms and across language APIs will generally throw up all kinds of inconsistencies that must be worked around in the code anyway. You'll only get platform independence if you roll your own code and use the raw interface. Martin...
Current thread:
- RE: [WEB SECURITY] Re: HTTP Parameter Pollution Martin O'Neal (May 22)
- <Possible follow-ups>
- RE: [WEB SECURITY] Re: HTTP Parameter Pollution Martin O'Neal (May 22)
- RE: [WEB SECURITY] Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- RE: [WEB SECURITY] Re: HTTP Parameter Pollution Martin O'Neal (May 22)
- RE: [WEB SECURITY] Re: HTTP Parameter Pollution Martin O'Neal (May 25)
- RE: [WEB SECURITY] Re: HTTP Parameter Pollution Stefano Di Paola (May 25)