W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: FYI... Binary Optimized Header Encoding for SPDY

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Tue, 07 Aug 2012 11:40:22 +1200
To: <ietf-http-wg@w3.org>
Message-ID: <6b761cde4a29477880b4ac8e89a1f320@treenet.co.nz>
On 07.08.2012 06:53, Martin Nilsson wrote:
> The HTTP proxy syntax is an ongoing source for security issues, due
> to too  relaxed pattern matching.
>
> GET http://random.com/?facebook.com HTTP/1.1
> GET http://facebook.com@random.com/ HTTP/1.1
> GET http://facebook.com.random.com/ HTTP/1.1
>

What "proxy syntax"? All I see there is a bunch of absolute-URI for 
random.com.

Splitting this into pieces on-wire and then re-assembling them into the 
same canonical URL before pattern matching will not result in admin 
people suddenly knowing safer patterns. The ones having trouble now 
already fail to use the tools provided correctly...

This would require re-writing most RFCs to handle new URL syntax, and 
we would have to maintain backward-compatibility and accept these forms 
anyway - which means no gain. Abolishing the second form would be nice 
to avoid credentials leakage in HTTP when its used as a Basic-auth 
substitute. But then again its used for a lot more than basic auth these 
days. Think salting parameter, three-legged auth algorithm name(s), 
domain realm, session ID, etc.

Amos
Received on Monday, 6 August 2012 23:40:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 6 August 2012 23:40:55 GMT