Daniel A. Nagy wrote:
On Mon, Oct 10, 2005 at 03:30:29PM +0100, Ben Laurie wrote:
That mantra has shown to be a less than great idea recently, since it
promotes interestingly obscure security holes, so I still would like to
know what the correct behaviour is, and I'd like the I-D to accurately
document that behaviour.
In that case, the empty line should be mandated,
I agree.
although distinguishing
between header data and base64 armor is quite straightforward and
unambiguous: headers always have colons in them, base64 armor never does.
This becomes less straightforward when you hit line length limits.
Thus, it should be impossible to derail a correct parser with a carefully
constructed header, though of course, it's easier to write the parser if one
assumes an empty line before the base64 data.
Mine does either (configurably).
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff