Thanks, Elliotte. I agree that we haven't thought enough about security yet; that section was more of a placeholder than anything else. Cheers, On 30/09/2007, at 8:10 PM, Elliotte Harold wrote: > I've just read the URI templating draft spec. Looks good overall, > except for section 4 which feels like it should be expanded. > Section 4 reads: > > > 4. Security Considerations > > A URI Template does not contain active or executable content. Other > security considerations are the same as those for URIs, see section 7 > of RFC3986.I am concerned that this is insufficiently "creative" in > imagining possible attacks. In particular, I suspect that URI > templates might be able to pass "bad" URIs through systems that > would recognize and reject them if they were passed through as an > expanded URI. > > Just maybe, it would be possible to run in reverse where a URI such > as http://www.example.com/%7Bfoo%7D gets turned into http:// > www.example.com/{foo} and gets snuck into a system that will > process the URI template. > > Likely these would rely on application bugs or omissions. > Nonetheless these are not bugs or omissions that would cause > problems today, so they may exist in current software and doubtless > in careless software written in the future. Section 4 should > consider such problems and warn readers about them. > > -- > Elliotte Rusty Harold > erharold@gmail.com -- Mark Nottingham http://www.mnot.net/Received on Sunday, 30 September 2007 23:19:19 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 23 October 2007 06:11:49 GMT