W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: FYI... Binary Optimized Header Encoding for SPDY

From: Phillip Hallam-Baker <hallam@gmail.com>
Date: Sun, 5 Aug 2012 12:23:42 -0400
Message-ID: <CAMm+Lwj_MqNJRkXLVUbwCZdqFru_GwFs9Pe8AB+jYSQNO8jy=g@mail.gmail.com>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Amos Jeffries <squid3@treenet.co.nz>, ietf-http-wg@w3.org
On Sun, Aug 5, 2012 at 8:31 AM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:
> In message <501E5A69.5000802@treenet.co.nz>, Amos Jeffries writes:
>
>>Only if you try to cache along the assumed filesystem hierarchy implicit
>>in URLs. Using the absolute URL as an opaque hash key (as Squid does)
>>instead of reading any meaning in its syntax avoids all these issues
>>completely.
>
> But opens you up to DoS attacks along the lines of:
>
>         GET /ABCDEF.html
>         GET /%41BCDEF.html
>         GET /A%42CDEF.html
>         ...


Those are actually the same URL. Just different encodings.


-- 
Website: http://hallambaker.com/
Received on Sunday, 5 August 2012 16:24:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 5 August 2012 16:24:16 GMT