W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2009

Re: Issue 194: restricting allowed characters in quoted-pair

From: Roy T. Fielding <fielding@gbiv.com>
Date: Tue, 15 Sep 2009 23:23:15 -0700
Message-Id: <B67D4D81-79C5-43B3-A2C1-88EF3EA6609A@gbiv.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
To: Mark Nottingham <mnot@mnot.net>
On Sep 15, 2009, at 10:43 PM, Mark Nottingham wrote:

> Yeah, what Julian said; I'd like to do this, but am concerned about  
> what it would mean.

It would mean that sending other quoted characters would no
longer comply with the protocol.  Since I don't know of any
implementations that quote other characters, that's fine with me.

It also means that recipients of other quoted characters should
consider the backslash to be used in error, which is probably a
good thing since the only reason to backslash other characters
on purpose is to trigger a security hole.

> Can we keep it (relatively) open in BNF, and caution against  
> quoting anything but DQUOTE in prose?
>
> Not a great solution, but...

We could, but how does that help implementations?  I'd rather
be more conservative in the ABNF and let Postel's Law influence
the prose.  I suspect that other uses of backslash are not
intended to be quoting in any case, so the recipient is probably
better off treating them as two characters.  e.g., DOS pathnames.

....Roy
Received on Wednesday, 16 September 2009 06:23:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:10 GMT