CRLF is obsolete and should be abolished

(fossil-scm.org)

422 points km | 1 comments | 13 Oct 24 19:16 UTC | HN request time: 0s | source

Show context

tedunangst ◴[13 Oct 24 20:28 UTC] No.41831300[source]▶

>>41830717 (OP) #

No mention of what happened the last time we mixed and matched line endings? https://smtpsmuggling.com/

replies(1): >>41831360 #

deltaknight ◴[13 Oct 24 20:36 UTC] No.41831360[source]▶

>>41831300 #

Doesn’t this show that ignoring CR and only processing LFs is a good idea? If I’m understanding right (probably wrong), this vuln relied on some servers using CRLF only as endings, and others supporting both CRLF and LF.

If every server updated to line-end of LF, thereby supporting both types, this vuln wouldn’t happen?

Of course if there’s is a mixed bag then I guess this is still possible, if your server only supports CRLF. At least in that scenario you have some control over the issue though.

replies(2): >>41832169 #>>41833561 #

1. dwattttt ◴[14 Oct 24 02:10 UTC] No.41833561[source]▶

>>41831360 #

As I mentioned else-thread: it doesn't matter as much which option is chosen, so long as everyone agrees. If everyone agrees that LF on its own is enough (and we stop sending CR's to make sure it's not part of whatever comes before LF), that's fine. But it's just as fine for everyone to agree that CRLF is right, and reject plain LF.

↑