Re: Sections 3.3.1 and 5.1 from Ben Laurie on 1996-05-31 (ietf-http-wg@w3.org from April to June 1996)

From: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
Date: Fri, 31 May 1996 21:38:07 +0100 (BST)
To: Paul Leach <paulle@microsoft.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, ben@algroup.co.uk
Message-Id: <9605312138.aa02936@gonzo.ben.algroup.co.uk>

Paul Leach wrote:
> 
> 
> 
> >----------
> >From: 	Ben Laurie[SMTP:ben@algroup.co.uk]
> >Subject: 	Sections 3.3.1 and 5.1
> >
> >Section 5.1
> >
> >'The origin server MUST decode the Request-URI in order to properly 
> >interpret the request.  In requests that they forward, proxies MUST NOT
> >
> >rewrite the "abs_path" part of a Request-URI in any way except as noted
> >
> >above to replace a null abs_path with "*". Invalid Request-URIs SHOULD 
> >be responded to with an appropriate status code. Proxies MAY transform 
> >the Request-URI for internal processing purposes, but MUST NOT send
> >such 
> >a transformed Request-URI  in forwarded requests. 
> >Note: This rule ensures that the form of Request-URI is well specified,
> >
> >to enable future extensions without fear that they will break in the 
> >face of some rewritings. One consequence of rewriting the Request-URI
> >is 
> >that integrity or authentication checks by the server may fail. 
> >Implementers should be aware that some pre-HTTP/1.1 proxies have been 
> >known to rewrite the Request-URI.'
> >
> >Speaking as one of those responsible for maintaining the Apache proxy 
> >module, I wonder about the intent of this paragraph - if a proxy is 
> >permitted to rewrite, presumably to make such transformations as a/./b 
> >-> a/b and a/b/../c -> a/c, then it hardly seems fair to allow the 
> >server to interpret them in a different way. Is this what is intended
> >or 
> >are there other kinds of rewriting which it seeks to forbid?
> 
> I don't understand your question -- proxies are NOT permitted to rewrite
> in any way, so the assumption of your "if" sentence is false. And the
> proximate reason is so that inclusion of URLs in authentication
> calculations isn't foiled by proxies rewriting the URLs (as is stated in
> the note at the end of the section you quote).

Proxies are permitted to rewrite internally. I understand the reasoning but
it seems to me that this should be a restrictions on URLs (that is, that they
are always in their canonical form) rather than on proxies.

Cheers,

Ben.

> 
> Paul

-- 
Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant and    Fax:   +44 (181) 994 6472
Technical Director          Email: ben@algroup.co.uk
A.L. Digital Ltd,           URL: http://www.algroup.co.uk
London, England.

Received on Friday, 31 May 1996 14:25:35 UTC