- From: Willy Tarreau <w@1wt.eu>
- Date: Tue, 31 Mar 2015 10:19:01 +0200
- To: Martin J. Dürst <duerst@it.aoyama.ac.jp>
- Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Mar 31, 2015 at 04:57:03PM +0900, "Martin J. Dürst" wrote: > On 2015/03/31 14:42, Willy Tarreau wrote: > >Also, I'd prefer to make it explicitly forbidden to %-encode US-ASCII > >characters because this could be used to bypass some WAFs for example : > >if it is detected that a server implements this standard and is able > >to %-decode some attributes in header fields, and a WAF in the middle > >does not, the client can abuse the %-encoding to try to hide some > >activities. > > This makes a lot of sense, but we have to be careful that this doesn't > apply to all US-ASCII characters; there will be some that have to be > escaped because of syntactic constraints. Absolutely, I was making a general point. For sure, commas, semi-colons, spaces, tabs, quotes for example should be encoded. Willy
Received on Tuesday, 31 March 2015 08:19:30 UTC