- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Mon, 21 Jul 2014 14:14:41 +0000
- To: Julian Reschke <julian.reschke@gmx.de>
- cc: Martin Thomson <martin.thomson@gmail.com>, Willy Tarreau <w@1wt.eu>, Roberto Peon <grmocg@gmail.com>, Phil Hunt <phil.hunt@oracle.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
In message <53CD15C8.8030506@gmx.de>, Julian Reschke writes:
>On 2014-07-21 15:20, Martin Thomson wrote:
>> On 21 July 2014 00:53, Willy Tarreau <w@1wt.eu> wrote:
>>>
>>> I'm not sure what you mean, we're speaking about having a single :query
>>> for whatever follows the question mark, right ? If so, all the params
>>> must be tried as a single block.
>>
>> Yes, but there could be cases where the combination of path and query
>> contain sufficiently high entropy in combination, but one or other
>> contains insufficient entropy on its own to resist guessing attacks.
>
>...again, if we do things like that please do not couple it with "?".
>Just have two parts that get concatenated verbatim to reconstruct the
>full path+query.
The definition (sorry RFC2616, I don't have the newer one here right
now):
http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
So no, '?' it is if we do it.
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
Received on Monday, 21 July 2014 14:15:30 UTC