RFC Errata
RFC 2616, "Hypertext Transfer Protocol -- HTTP/1.1", June 1999
Note: This RFC has been obsoleted by RFC 7230 RFC 7231 RFC 7232 RFC 7233 RFC 7234 RFC 7235
Source of RFC: http (app)
Errata ID: 3407
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Thomas Lane
Date Reported: 2012-11-14
Held for Document Update by: Barry Leiba
Date Held: 2012-11-27
Section 2.2 says:
Comments can be included in some HTTP header fields by surrounding the comment text with parentheses. Comments are only allowed in fields containing "comment" as part of their field value definition. In all other fields, parentheses are considered part of the field value. comment = "(" *( ctext | quoted-pair | comment ) ")" ctext = <any TEXT excluding "(" and ")"> A string of text is parsed as a single word if it is quoted using double-quote marks. quoted-string = ( <"> *(qdtext | quoted-pair ) <"> ) qdtext = <any TEXT except <">> The backslash character ("\") MAY be used as a single-character quoting mechanism only within quoted-string and comment constructs. quoted-pair = "\" CHAR
It should say:
Comments can be included in some HTTP header fields by surrounding the comment text with parentheses. Comments are only allowed in fields containing "comment" as part of their field value definition. In all other fields, parentheses are considered part of the field value. comment = "(" *( ctext | quoted-pair | comment ) ")" ctext = <any TEXT excluding "\", "(" and ")"> A string of text is parsed as a single word if it is quoted using double-quote marks. quoted-string = ( <"> *(qdtext | quoted-pair ) <"> ) qdtext = <any TEXT excluding "\" and <">> The backslash character ("\") MAY be used as a single-character quoting mechanism only within quoted-string and comment constructs. quoted-pair = "\" CHAR
Notes:
Allowing "\" in qdtext and ctext creates ambiguous semantics.
Consider:
" \" (\ was a qdtext, so string has terminated)
" \""(\ is part of the quoted pair \")
" \ " (Is this an escaped space or a bare backslash?)
" \\"" (first \ is qdtext and second \ is part of quoted-pair \")
Analogous examples would work for ctext and comment, as well.
It looks to me as though the intended meaning was for the implementer to consider "\" part of a quoted-pair whenever possible. It's always possible, so the obvious fix would be to exclude it from ctext and qdtext, and use \\ whenever the user desires a textual backslash.
--- VERIFIER NOTES ---
This issue is already being dealt with in the HTTP 1.1 work in the HTTPBIS working group. The 2616 updates, which will be published soon, will include fixes for this.