Re: Is the ABNF for <request-target> in HTTPbis too general? from Roy T. Fielding on 2011-10-18 (ietf-http-wg@w3.org from October to December 2011)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Tue, 18 Oct 2011 10:05:20 -0700
To: Adrian Custer <acuster@gmail.com>
Cc: ietf-http-wg@w3.org
Message-Id: <62296E98-1DA5-4C49-B344-A66BC5557A94@gbiv.com>

On Oct 14, 2011, at 9:45 AM, Adrian Custer wrote:

> Editors of the HTTPbis specification,
> 
> 
> In looking at the <request-target> element of the ABNF definition which
> spans both HTTPbis Part 1 and RFC 3986, it appears that the ABNF allows
> <Request-Line> elements of the illegal form
>    GET http://server:80some/non/rooted/path?andquery

No, that is misreading the ABNF notation (line breaks imply parens).
Actual parens would have been better in 3986, but it is not an error.

> or
>    GET http://server:80?query
> both of which are missing the leading "/" character in the path.

Yes, that is allowed.  Note that request-target can be any URI, not
just http or https URIs.  Think proxies.

> This arises from the ABNF reusing the <hier-part> from the <URI>
> definition which is too flexible when defining an <absolute-URI> element
> for a <request-target>. Indeed, the only difference between the <URI>
> and the <absolute-URI> elements in RFC 3986 is the presence of the
> fragment which does not appear related to any notion of 'absolute.'
> 
> 
> 
> 
> Starting with the definition of the <request-target>
> 
>     ;HTTPbis, section 4.1
>  Request-Line   = Method SP request-target SP HTTP-Version CRLF
> 
>    ;HTTPbis, section 4.1.2
>  request-target = "*"
>                    / absolute-URI
>                    / ( path-absolute [ "?" query ] )
>                    / authority
> 
> we consider only those built with <absolute-URI>
> 
>    ;HTTPbis, Appendix B
>  absolute-URI = <absolute-URI, defined in [RFC3986], Section 4.3>
> 
> so moving to RFC 3986, we have
> 
>    ;RFC 3986, section 4.3
>  absolute-URI  = scheme ":" hier-part [ "?" query ]
> 
>    ;RFC 3986, Appendix A
>  hier-part     = "//" authority path-abempty
>                 / path-absolute
>                 / path-rootless
>                 / path-empty
> 
> these last two elements of <hier-part> seem to me to be illegal in HTTP
> request messages, giving rise to my two original examples. (In passing,
> clarifying parenthesization would have been useful in this definition.)

Those are valid in requests to a proxy.  The proxy is responsible for
determining whether the URI needs to be redirected to some other form.

....Roy

Received on Tuesday, 18 October 2011 17:05:41 UTC