Re: consensus on :query ? from Adrien de Croy on 2014-07-21 (ietf-http-wg@w3.org from July to September 2014)

From: Adrien de Croy <adrien@qbik.com>
Date: Mon, 21 Jul 2014 23:33:09 +0000
To: "Roberto Peon" <grmocg@gmail.com>
Cc: "Martin Thomson" <martin.thomson@gmail.com>, "Willy Tarreau" <w@1wt.eu>, "Poul-Henning Kamp" <phk@phk.freebsd.dk>, "Phil Hunt" <phil.hunt@oracle.com>, "Mark Nottingham" <mnot@mnot.net>, "HTTP Working Group" <ietf-http-wg@w3.org>
Message-Id: <em0c8a9791-cb5d-414f-837f-89aa7ffaf74e@bodybag>

Sorry I still don't understand.

If the server needs both a correct path and correct query to provide the 
desired response, then surely you need to guess both.

Or are we suggesting that path can be guessed independently because 
there's a differernt status returned for invalid query vs invalid path?

In which case how does that differ from now?


------ Original Message ------
From: "Roberto Peon" <grmocg@gmail.com>
To: "Adrien de Croy" <adrien@qbik.com>
Cc: "Martin Thomson" <martin.thomson@gmail.com>; "Willy Tarreau" 
<w@1wt.eu>; "Poul-Henning Kamp" <phk@phk.freebsd.dk>; "Phil Hunt" 
<phil.hunt@oracle.com>; "Mark Nottingham" <mnot@mnot.net>; "HTTP Working 
Group" <ietf-http-wg@w3.org>
Sent: 22/07/2014 11:24:56 a.m.
Subject: Re: consensus on :query ?

>If the path contains:
>/foo/RANDOM_NUMBER/bar
>
>and the query contains:
>q=foo&user=SOME_SECRET_ID
>
>Then guessing:
>/foo/RANDOM_NUMBER/bar?q=foo&user=SOME_SECRET_ID
>
>is far, far FAR more difficult than guessing:
>   q=foo&user=SOME_SECRET_ID
>alone or
>   /foo/RANDOM_NUMBER/bar
>alone.
>
>
>-=R
>
>
>On Mon, Jul 21, 2014 at 4:21 PM, Adrien de Croy <adrien@qbik.com> 
>wrote:
>>
>>I don't see how it makes any difference.  Splitting something in two 
>>(path?query vs. path, query) doesn't add or subtract information or 
>>alter entropy.  It's just a different way of parsing.
>>
>>
>>
>>------ Original Message ------
>>From: "Martin Thomson" <martin.thomson@gmail.com>
>>To: "Willy Tarreau" <w@1wt.eu>
>>Cc: "Roberto Peon" <grmocg@gmail.com>; "Poul-Henning Kamp" 
>><phk@phk.freebsd.dk>; "Phil Hunt" <phil.hunt@oracle.com>; "Mark 
>>Nottingham" <mnot@mnot.net>; "HTTP Working Group" 
>><ietf-http-wg@w3.org>
>>Sent: 22/07/2014 1:20:27 a.m.
>>Subject: Re: consensus on :query ?
>>
>>>On 21 July 2014 00:53, Willy Tarreau <w@1wt.eu> wrote:
>>>>
>>>>  I'm not sure what you mean, we're speaking about having a single 
>>>>:query
>>>>  for whatever follows the question mark, right ? If so, all the 
>>>>params
>>>>  must be tried as a single block.
>>>
>>>Yes, but there could be cases where the combination of path and query
>>>contain sufficiently high entropy in combination, but one or other
>>>contains insufficient entropy on its own to resist guessing attacks.
>>>
>>
>

Received on Monday, 21 July 2014 23:33:43 UTC