W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2012

Re: #409: is parsing OBS-FOLD mandatory?

From: Willy Tarreau <w@1wt.eu>
Date: Wed, 12 Dec 2012 22:18:38 +0100
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Mark Nottingham <mnot@mnot.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <20121212211838.GC19220@1wt.eu>
On Wed, Dec 12, 2012 at 10:18:28AM -0800, Roy T. Fielding wrote:
> > """
> > If a received protocol element is processed, the recipient MUST be able to parse any value that would match the ABNF rules for that protocol element, excluding only those rules not applicable to the recipient's role, and those rules whose names begin with "obs-" (e.g., obs-fold).
> > """
> Do we really want to exclude non-ASCII octets (obs-text) and older
> date formats (obs-date)?  Do we demote them to SHOULD or MAY?

This is a good point. Line-folding causes security issues and does not
seem to be used by senders, but I think we all regularly catch some
obs-text and obs-date come from old applications or crippled devices.

> This change is fine with me, but it is a hard break from retaining
> compatibility and we need to be absolutely sure we want to do that.

I'd rather not break these ones, personally.

Couldn't we settle on just stating that obs-fold is normally not used,
is known to cause security issues when improperly implemented, and
should either be completely supported, or rejected, but in all cases
must be detected ?

Received on Wednesday, 12 December 2012 21:19:13 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:07 UTC