- From: Adrien de Croy <adrien@qbik.com>
- Date: Sun, 05 Aug 2012 23:22:57 +0000
- To: "Poul-Henning Kamp" <phk@phk.freebsd.dk>, "Phillip Hallam-Baker" <hallam@gmail.com>
- Cc: "Amos Jeffries" <squid3@treenet.co.nz>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
personally I see little value in allowing a "safe" character to be encoded with %, and specify it has no semantic meaning (that it is encoded rather than "native") Why not simply deprecate such things for 2.0, and when it comes to putting together a 1.1 message from a 2.0 message, it needs encoding at that stage, and at that stage, there's only 1 allowed way to do it, e.g. safe chars MUST NOT be %-encoded etc. Adrien ------ Original Message ------ From: "Poul-Henning Kamp" <phk@phk.freebsd.dk> To: "Phillip Hallam-Baker" <hallam@gmail.com> Cc: "Amos Jeffries" <squid3@treenet.co.nz>;"ietf-http-wg@w3.org" <ietf-http-wg@w3.org> Sent: 6/08/2012 4:39:46 a.m. Subject: Re: FYI... Binary Optimized Header Encoding for SPDY >In message <CAMm+Lwj_MqNJRkXLVUbwCZdqFru_GwFs9Pe8AB+jYSQNO8jy=g@mail.gmail.com> >, Phillip Hallam-Baker writes: > >> >>On Sun, Aug 5, 2012 at 8:31 AM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: >> >>> >>>But opens you up to DoS attacks along the lines of: >>> >>> GET /ABCDEF.html >>> GET /%41BCDEF.html >>> GET /A%42CDEF.html >>> ... >>> >> >> >>Those are actually the same URL. Just different encodings. >> > > >That's exactly the point. > >Intermediaries need to decode URI and therefore the question of ASCII >vs. UTF8 performance is relevant. > >But as I said earlier: I'm not sure if the advantage goes to ASCII >with the need for further encoding, or to UTF8 with no further encoding >needed. > >-- >Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 >phk@FreeBSD.ORG | TCP/IP since RFC 956 >FreeBSD committer | BSD since 4.3-tahoe >Never attribute to malice what can adequately be explained by incompetence. > > >
Received on Sunday, 5 August 2012 23:23:33 UTC