W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2011

Re: \-decoding filename parameters [was: TICKET 259: 'treat as invalid' not defined]

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 03 Feb 2011 19:52:43 +0100
Message-ID: <4D4AF97B.2060006@gmx.de>
To: Mark Nottingham <mnot@mnot.net>
CC: Adam Barth <ietf@adambarth.com>, httpbis <ietf-http-wg@w3.org>
On 03.02.2011 04:49, Mark Nottingham wrote:
> Having had some time away from this, and re-reading the thread, I notice that HTTPbis already disallows the production of many \-encoded characters:
>
>     Producers SHOULD NOT escape characters that do not require escaping
>     (i.e., other than DQUOTE and the backslash character).
>
> (p1, 1.2.2)
>
> So, really, we're already talking about error handling when we talk about things like \b, etc.
>
> Furthermore, AFAICT neither 2616 nor bis really talk about the semantics and handling of "unusual" \-encoded characters. According to the current definition, one could plausibly decode "\n" to be a newline, since all that's really said about it is
>
>     The backslash character ("\") MAY be used as a single-character
>     quoting mechanism only within quoted-string and comment constructs.
>
> (although I doubt that happens IRL).

That has bugged me for some time, and I wasn't sure whether I was just 
too pedantic and the answer is obvious. We should treat this as 
something we need to fix.

That being said: the spec specifies quoted-pair in a way that other 
characters are allowed. If we don't change that, we need to say what it 
means to use this.

The grammar in HTTP was inspired by RFC 822 and successors, and RFC 5322 
says:

"Where any quoted-pair appears, it is to be interpreted as the character 
alone. That is to say, the "\" character that appears as part of a 
quoted-pair is semantically "invisible"." -- 
<http://greenbytes.de/tech/webdav/rfc5322.html#rfc.section.3.2.1>

This happens to match my intuitive understanding what escape characters 
are for, so I'd propose that we adopt that.

> At the least, then, we should continue to discourage the use of \-escaping for things other than "\" and<">.

Recommending not to escape things that do not need escaping is fine. I'm 
not sure whether this needs to be a SHOULD.

> If we were to write error-handling advice for it, it seems that we could give *weak* advice to replace with "_" or "-" (based upon<http://greenbytes.de/tech/tc2231/#attwithasciifnescapedchar>). We should probably also consider that question for BIS, but that can wait for now.

Disagreed.

First of all, this is only error handling if we actually forbid those 
sequences. We don't do that right now.

It would be bad if we ended up with different rules for processing 
quoted-string depending on where they occur, just to able that some 
broken implementations can claim that they are not.

> To me the currently relevant question is whether implementers will eventually support escaping "\" and<">. Right now a few do (see<http://greenbytes.de/tech/tc2231/#attwithasciifnescapedquote>), but many don't. However, since this is a "soft" failure / interop problem (i.e., it affects how a file is named when saved on disk, but doesn't prevent it from being saved or named), I don't see that as a reason to not specify it.

Sending a filename with a literal backslash character in it is likely an 
attempt by the sender to trick the recipient to overwrite files in 
another directory. The spec already recommends:

"When the value contains path separator characters, all but the last 
segment SHOULD be ignored. This prevents unintentional overwriting of 
well-known file system location (such as "/etc/passwd")." -- 
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-content-disp-04.html#rfc.section.3.3>

So it really doesn't matter a lot at what stage the \ disappears.

Escaped DQUOTEs 
(<http://greenbytes.de/tech/tc2231/#attwithasciifnescapedquote>) cover a 
use case that has no other solution (except for 5987-encoding 
everything). So I believe the right thing to do is to keep this 
specified, and potentially warn servers about the UAs that can't handle 
it (similar to the way we already warn about the "%" problem).

> ...

Best regards, Julian
Received on Thursday, 3 February 2011 18:53:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:36 GMT