Re: consensus on :query ?

Don't get me wrong-- I think it'd be mostly fine.
I also think, however, that this is a piece of information which is likely
to contain sensitive information, and as a result, if we want to do
something different than we do now, we should get it reviewed.

One simple example of how this makes stuff easier-- Since the path and
query are separated, an attack that attacks the local state by acting as a
malicious mitm of TCP packets may perform more attacks before the TCP recv
window runs out.

Do I think that is a particularly strong weakness? No. However, it still
needs review.

On Sun, Jul 20, 2014 at 10:46 PM, Willy Tarreau <> wrote:

> Hi Roberto,
> On Sun, Jul 20, 2014 at 06:33:01PM -0700, Roberto Peon wrote:
> > One doesn't have to guess path + query, one only guess the query.
> > In some scenarios, this enhances the attacker's ability to probe.
> > The question is, does it do so enough for us to care.
> I don't see why it would be a trouble since the path is generally
> well known and could be considered constant. It will be retrieved
> from a link on a page, a location header, or will just be "/" or
> something like this.
> Willy

Received on Monday, 21 July 2014 06:52:04 UTC