- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Tue, 07 Aug 2012 11:40:22 +1200
- To: <ietf-http-wg@w3.org>
On 07.08.2012 06:53, Martin Nilsson wrote: > The HTTP proxy syntax is an ongoing source for security issues, due > to too relaxed pattern matching. > > GET http://random.com/?facebook.com HTTP/1.1 > GET http://facebook.com@random.com/ HTTP/1.1 > GET http://facebook.com.random.com/ HTTP/1.1 > What "proxy syntax"? All I see there is a bunch of absolute-URI for random.com. Splitting this into pieces on-wire and then re-assembling them into the same canonical URL before pattern matching will not result in admin people suddenly knowing safer patterns. The ones having trouble now already fail to use the tools provided correctly... This would require re-writing most RFCs to handle new URL syntax, and we would have to maintain backward-compatibility and accept these forms anyway - which means no gain. Abolishing the second form would be nice to avoid credentials leakage in HTTP when its used as a Basic-auth substitute. But then again its used for a lot more than basic auth these days. Think salting parameter, three-legged auth algorithm name(s), domain realm, session ID, etc. Amos
Received on Monday, 6 August 2012 23:40:49 UTC