W3C home > Mailing lists > Public > uri@w3.org > June 2003

Re: draft-fielding-uri-rfc2396bis-03, section 7

From: Martin Duerst <duerst@w3.org>
Date: Wed, 18 Jun 2003 11:44:25 -0400
Message-Id: <4.2.0.58.J.20030618110104.03dbe550@localhost>
To: "Roy T. Fielding" <fielding@apache.org>, uri@w3.org

Hello Roy,

In the next few mails, I'll send in my comments on
draft-fielding-uri-rfc2396bis-03. I'll do this by section,
in no particular order. I'll mix comments of different
seriousness, and indicate how serious they are if I don't
think that's obvious. Appologies if something already has
been discussed.

I'll start with section 7.

7.1: It is unclear how 'Reliability and Consistency' relate
      to security. In some cases, these are related, in others,
      they are independent.

      I suggest adding some additional text, e.g.:

      Therefore, if the information retrieved from an URI is
      used for security-relevant operations, or if the operation
      triggered by the URI itself is security-relevant, means
      other than just checking the identity of the URI
      (i.e. checking the actual information returned,...)
      are necessary.

      Please feel free to improve on this text.

7.3: 'via a SMTP server' -> 'via an SMTP server'

7.3, last paragraph (about escaped delimiters, e.g. for TCP):
      This is a valid security concern, but I think it is unclear
      and too general.

      First, in the phrase "when an URI contains escaped delimiters
      for a given protocol", it is not fully clear whether these are
      delimiters in the protocol, or in URIs (or, as may be, in both),
      and whether the escaping refers to %-escaping, or to some
      protocol-specific escaping. I suggest to clarify this, e.g.
      as follows (I might have gotten it wrong):

         when an URI contains %-escaped octets which when
         unescaped serve as delimiters in a given protocol

      Second, the paragraph mixes octets and characters.
      I suggest to use octets throughout.

      Third, I think this is too general. There may well be
      delimiters that have to be %-escaped because they interfere
      with URI syntax, but that are absolutely harmless and crucial
      to the basic operation of the protocol. So I would reword
      along the lines:

         Care should be taken ... with unescaping of such octets.
         If these octets can be used to simulate ... harmful
         remote operation being performed, then they should not
         be unescaped even if this may violate the protocol.
         Please see the security considerations of the relevant
         protocol and URI scheme for details.

Please add: Spoofing by using visually similar URIs.
This is a consideration that is missing, but that is important.
It is somewhat related to 7.5, and may go in there, but it is
different in nature in that there is much closer visual similarity.
For text, I suggest you look at section 7 of
http://www.w3.org/International/iri-edit/draft-duerst-iri-03.txt,
in particular the paragraphs on spoofing, and scale that down
to the ASCII-only context.

Please add: Some security consideration corresponding to attacks
such as Nimda. This is somewhat related to the 'unescaping'
issue at the end of 7.3, but is different in that unescaping
occurs on the server side, and in the wrong order (e.g.
unescaping slashes after checking security but before
parsing and execution) or to a greater extent than appropriate
(e.g. wrongly unescaping 'overlong UTF-8' encodings of
syntactic characters, or doing too many rounds of unescaping
(e.g. unescaping %252F twice: %252F -> %2F -> /). For text,
please see the first paragraph of section 7 in
http://www.w3.org/International/iri-edit/draft-duerst-iri-03.txt.


Regards,    Martin.



At 19:07 03/06/06 -0700, Roy T. Fielding wrote:

>I have just submitted draft 03, which can also be obtained via
>the issues list at
>
>    http://www.apache.org/~fielding/uri/rev-2002/issues.html
>
>Please note that all issues have been fixed or closed.  If you'd
>like to raise a new issue or reopen an old one, please do so
>within the next two weeks.
>
>
>Cheers,
>
>Roy T. Fielding, Chief Scientist, Day Software
>                  2 Corporate Plaza, Suite 150
>                  Newport Beach, CA 92660-7929   fax:+1.949.644.5064
>                  (roy.fielding@day.com) <http://www.day.com/>
>
>                  Co-founder, The Apache Software Foundation
>                  (fielding@apache.org)  <http://www.apache.org/>
Received on Wednesday, 18 June 2003 11:45:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 13 January 2011 12:15:31 GMT