RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 2616, "Hypertext Transfer Protocol -- HTTP/1.1", June 1999

Note: This RFC has been obsoleted by RFC 7230 RFC 7231 RFC 7232 RFC 7233 RFC 7234 RFC 7235

Source of RFC: http (app)

Errata ID: 3407
Status: Held for Document Update
Type: Technical

Reported By: Thomas Lane
Date Reported: 2012-11-14
Held for Document Update by: Barry Leiba
Date Held: 2012-11-27

Section 2.2 says:

   Comments can be included in some HTTP header fields by surrounding
   the comment text with parentheses. Comments are only allowed in
   fields containing "comment" as part of their field value definition.
   In all other fields, parentheses are considered part of the field
   value.

       comment        = "(" *( ctext | quoted-pair | comment ) ")"
       ctext          = <any TEXT excluding "(" and ")">

   A string of text is parsed as a single word if it is quoted using
   double-quote marks.

       quoted-string  = ( <"> *(qdtext | quoted-pair ) <"> )
       qdtext         = <any TEXT except <">>

   The backslash character ("\") MAY be used as a single-character
   quoting mechanism only within quoted-string and comment constructs.

       quoted-pair    = "\" CHAR

It should say:

   Comments can be included in some HTTP header fields by surrounding
   the comment text with parentheses. Comments are only allowed in
   fields containing "comment" as part of their field value definition.
   In all other fields, parentheses are considered part of the field
   value.

       comment        = "(" *( ctext | quoted-pair | comment ) ")"
       ctext          = <any TEXT excluding "\", "(" and ")">

   A string of text is parsed as a single word if it is quoted using
   double-quote marks.

       quoted-string  = ( <"> *(qdtext | quoted-pair ) <"> )
       qdtext         = <any TEXT excluding "\" and <">>

   The backslash character ("\") MAY be used as a single-character
   quoting mechanism only within quoted-string and comment constructs.

       quoted-pair    = "\" CHAR

Notes:

Allowing "\" in qdtext and ctext creates ambiguous semantics.

Consider:
" \" (\ was a qdtext, so string has terminated)
" \""(\ is part of the quoted pair \")
" \ " (Is this an escaped space or a bare backslash?)
" \\"" (first \ is qdtext and second \ is part of quoted-pair \")

Analogous examples would work for ctext and comment, as well.

It looks to me as though the intended meaning was for the implementer to consider "\" part of a quoted-pair whenever possible. It's always possible, so the obvious fix would be to exclude it from ctext and qdtext, and use \\ whenever the user desires a textual backslash.

--- VERIFIER NOTES ---
This issue is already being dealt with in the HTTP 1.1 work in the HTTPBIS working group. The 2616 updates, which will be published soon, will include fixes for this.

Report New Errata