- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Wed, 07 Dec 2011 23:30:31 +1300
- To: Julian Reschke <julian.reschke@gmx.de>
- CC: ietf-http-wg@w3.org
On 7/12/2011 10:01 p.m., Julian Reschke wrote: > On 2011-12-07 03:45, Amos Jeffries wrote: >> On Tue, 06 Dec 2011 19:46:47 +0100, Julian Reschke wrote: >>> >>> We're trying to find some structure in HTTP header field syntax, see >>> <http://trac.tools.ietf.org/wg/httpbis/trac/wiki/HeaderFieldTypes> for >>> the work-in-progress. >>> >> >> That list of ABNF is missing the pattern that could be called >> "quoted-blob" or such. Things which appear superficially to have the >> syntax of quoted-string but exclude the quoted-pair (or failed to spec >> escaping entirely, with the same end result). ie the string portion may >> contain bare \ characters which will break attempts to use a >> quoted-string parser on it. > > Oh, that's something we don't want to encourage! > >> Examples for this can be found in the new ETag ABNF from HTTPbis and the >> path= parameter of Digest authentication. Possibly elsewhere I have not >> run into yet. > > If "path" does this in Digest for WWW-Authenticate, then Digest is > broken and we should raise an erratum. Err. double-checking myself that parameter name was "uri=" I was recalling from bad experiences ... with WebKit (Chrome) http://bugs.squid-cache.org/show_bug.cgi?id=3077#c3 and Gecko (Firefox) http://bugs.squid-cache.org/show_bug.cgi?id=3077#c9 Arguably the RFC 2617 does not explicitly mention quotes in the definition and one can argue that they should not have placed the "" around the value. Still, its happening anyway. On the Digest challenge header "domain=" explicitly defines use of quotes ( <"> absoluteURI | abs_path <"> ), again with no mention what to do with the quoted-pair escape character which MAY be in the URI query-string portion (RFC 2396 emphasis). This one has not been sighted (yet) AFAIK. Amos
Received on Wednesday, 7 December 2011 10:31:21 UTC