W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: consensus on :query ?

From: Willy Tarreau <w@1wt.eu>
Date: Mon, 21 Jul 2014 09:53:12 +0200
To: Roberto Peon <grmocg@gmail.com>
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Phil Hunt <phil.hunt@oracle.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20140721075312.GO21834@1wt.eu>
On Mon, Jul 21, 2014 at 12:14:18AM -0700, Roberto Peon wrote:
> Assuming that query params get put into the compressor, splitting the path
> off means that an attacker gets to test against all of those query-parts
> with a query and *any* path.

I'm not sure what you mean, we're speaking about having a single :query
for whatever follows the question mark, right ? If so, all the params
must be tried as a single block.

Willy
Received on Monday, 21 July 2014 07:56:51 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:09 UTC