- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Mon, 21 Jul 2014 16:32:25 +0200
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>
- CC: Martin Thomson <martin.thomson@gmail.com>, Willy Tarreau <w@1wt.eu>, Roberto Peon <grmocg@gmail.com>, Phil Hunt <phil.hunt@oracle.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 2014-07-21 16:14, Poul-Henning Kamp wrote: > In message <53CD15C8.8030506@gmx.de>, Julian Reschke writes: >> On 2014-07-21 15:20, Martin Thomson wrote: >>> On 21 July 2014 00:53, Willy Tarreau <w@1wt.eu> wrote: >>>> >>>> I'm not sure what you mean, we're speaking about having a single :query >>>> for whatever follows the question mark, right ? If so, all the params >>>> must be tried as a single block. >>> >>> Yes, but there could be cases where the combination of path and query >>> contain sufficiently high entropy in combination, but one or other >>> contains insufficient entropy on its own to resist guessing attacks. >> >> ...again, if we do things like that please do not couple it with "?". >> Just have two parts that get concatenated verbatim to reconstruct the >> full path+query. > > The definition (sorry RFC2616, I don't have the newer one here right > now): > > http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] > > So no, '?' it is if we do it. I have no idea how that follows from the URI grammar. Best regards, Julian
Received on Monday, 21 July 2014 14:33:07 UTC