←back to thread

CRLF is obsolete and should be abolished

(fossil-scm.org)
422 points km | 4 comments | 13 Oct 24 19:16 UTC | HN request time: 0.699s | source
1. tedunangst ◴[13 Oct 24 20:28 UTC] No.41831300[source]
No mention of what happened the last time we mixed and matched line endings? https://smtpsmuggling.com/
replies(1): >>41831360 #
2. deltaknight ◴[13 Oct 24 20:36 UTC] No.41831360[source]
Doesn’t this show that ignoring CR and only processing LFs is a good idea? If I’m understanding right (probably wrong), this vuln relied on some servers using CRLF only as endings, and others supporting both CRLF and LF.

If every server updated to line-end of LF, thereby supporting both types, this vuln wouldn’t happen?

Of course if there’s is a mixed bag then I guess this is still possible, if your server only supports CRLF. At least in that scenario you have some control over the issue though.

replies(2): >>41832169 #>>41833561 #
3. hifromwork ◴[13 Oct 24 22:14 UTC] No.41832169[source]
Yes, if every server/middleware implemented parsing in the same way this kind of vulnerability wouldn't happen. Same goes for HTTP smuggling and other smuggling attacks.

Unfortunately, asking more people to ignore the currently estabilished standards makes the problem worse, not better.

4. dwattttt ◴[14 Oct 24 02:10 UTC] No.41833561[source]
As I mentioned else-thread: it doesn't matter as much which option is chosen, so long as everyone agrees. If everyone agrees that LF on its own is enough (and we stop sending CR's to make sure it's not part of whatever comes before LF), that's fine. But it's just as fine for everyone to agree that CRLF is right, and reject plain LF.