Re: consensus on :query ?

Sorry I still don't understand.

If the server needs both a correct path and correct query to provide the 
desired response, then surely you need to guess both.

Or are we suggesting that path can be guessed independently because 
there's a differernt status returned for invalid query vs invalid path?

In which case how does that differ from now?

------ Original Message ------
From: "Roberto Peon" <>
To: "Adrien de Croy" <>
Cc: "Martin Thomson" <>; "Willy Tarreau" 
<>; "Poul-Henning Kamp" <>; "Phil Hunt" 
<>; "Mark Nottingham" <>; "HTTP Working 
Group" <>
Sent: 22/07/2014 11:24:56 a.m.
Subject: Re: consensus on :query ?

>If the path contains:
>and the query contains:
>Then guessing:
>is far, far FAR more difficult than guessing:
>   q=foo&user=SOME_SECRET_ID
>alone or
>   /foo/RANDOM_NUMBER/bar
>On Mon, Jul 21, 2014 at 4:21 PM, Adrien de Croy <> 
>>I don't see how it makes any difference.  Splitting something in two 
>>(path?query vs. path, query) doesn't add or subtract information or 
>>alter entropy.  It's just a different way of parsing.
>>------ Original Message ------
>>From: "Martin Thomson" <>
>>To: "Willy Tarreau" <>
>>Cc: "Roberto Peon" <>; "Poul-Henning Kamp" 
>><>; "Phil Hunt" <>; "Mark 
>>Nottingham" <>; "HTTP Working Group" 
>>Sent: 22/07/2014 1:20:27 a.m.
>>Subject: Re: consensus on :query ?
>>>On 21 July 2014 00:53, Willy Tarreau <> wrote:
>>>>  I'm not sure what you mean, we're speaking about having a single 
>>>>  for whatever follows the question mark, right ? If so, all the 
>>>>  must be tried as a single block.
>>>Yes, but there could be cases where the combination of path and query
>>>contain sufficiently high entropy in combination, but one or other
>>>contains insufficient entropy on its own to resist guessing attacks.

Received on Monday, 21 July 2014 23:33:43 UTC