- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 13 May 2020 05:18:19 +0200
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Cc: Ian Clelland <iclelland@google.com>, Willy Tarreau <w@1wt.eu>, HTTP Working Group <ietf-http-wg@w3.org>
On 12.05.2020 23:22, Poul-Henning Kamp wrote: > -------- > In message <6121e33e-46d3-e361-9e4e-ad0158a0a8c5@gmx.de>, Julian Reschke writes > : > >> The issue here is that combining >> >> Foo: "a >> >> and >> >> Foo: b" >> >> into >> >> Foo: "a, b" >> >> *hides* an issue, and no failure will occur. Furthermore, we not only >> get no failure, but the resulting string may vary depending on how the >> fields were combined. >> >> I get that it's unavoidable that this *can* happen, but does this mean >> we should *disallow* failing for that input? > > Yes, we should disallow it, because that would cause a valid request > to fail unless a proxy implemented a particular way is in the path. How can the request be valid, if the resulting string is not fully predictable? (https://greenbytes.de/tech/webdav/draft-ietf-httpbis-header-structure-18.html#rfc.section.4.2.p.6) > I think we say this very clearly on page 23: > > When generating input_bytes, parsers MUST combine all lines in the > same section (header or trailer) that case-insensitively match the > field name into one comma-separated field-value, as per [RFC7230], > Section 3.2.2; this assures that the entire field value is processed > correctly. > > Poul-Henning > > PS: I think your example is wrong, the combined header would be: > > Foo: "a,b" > > Because there is an important asymmetry in RFC7230/3.2.2. > > A sender is required to know the syntax of the header is a comma > separated list, before can split the header. > > A receiver on the other hand is under no such obligation, and therefore > > "…by appending each subsequent field value to > the combined field value in order, separated by a comma." > > should be interpreted narrowly: Only a comma, not whitespace. (see Willy's reply) FWIW, the latest spec says: "A recipient MAY combine multiple field lines with the same field name into one field line, without changing the semantics of the message, by appending each subsequent field line value to the initial field line value in order, separated by a comma and optional whitespace. For consistency, use comma SP." <https://greenbytes.de/tech/webdav/draft-ietf-httpbis-semantics-latest.html#rfc.section.4.1.p.2> We go on with "This means that, aside from the well-known exception noted below, a sender MUST NOT generate multiple field lines with the same name in a message (whether in the headers or trailers), or append a field line when a field line of the same name already exists in the message, unless that field's definition allows multiple field line values to be recombined as a comma-separated list [i.e., at least one alternative of the field's definition allows a comma-separated list, such as an ABNF rule of #(values) defined in Section 4.5]." I wonder whether we should point out that each *individual* field line needs to conform to the syntax defined for the field value, so that splitting strings over lines would be disallowed. Best regards, Julian
Received on Wednesday, 13 May 2020 03:19:03 UTC