Re: consensus on :query ? from Adrien de Croy on 2014-07-23 (ietf-http-wg@w3.org from July to September 2014)

From: Adrien de Croy <adrien@qbik.com>
Date: Wed, 23 Jul 2014 00:11:23 +0000
To: "Ted Hardie" <ted.ietf@gmail.com>, "Willy Tarreau" <w@1wt.eu>
Cc: "Poul-Henning Kamp" <phk@phk.freebsd.dk>, "Mark Nottingham" <mnot@mnot.net>, "Jeroen de Borst" <J.deBorst@f5.com>, "Eric Rescorla" <ekr@rtfm.com>, "Martin Thomson" <martin.thomson@gmail.com>, "Roberto Peon" <grmocg@gmail.com>, "Phil Hunt" <phil.hunt@oracle.com>, "HTTP Working Group" <ietf-http-wg@w3.org>
Message-Id: <em83afa36c-b5b3-4f68-853f-2dba495ccf3b@bodybag>

path isn't allowed to have '?'

I was really hoping moving to a binary protocol would help us avoid 
string parsing, which requires defining / escaping of in-line structural 
elements, and creates a lot of opportunities for the type of bugs that 
create security holes.  It's just like SQL - the difference between 
using parsed SQL (and all the injection exploits that opens up) 
containing commands interspersed with data vs SQLBindParameter where 
data can only be data, not a command.

I think the benefits of separating out path from query are huge.

------ Original Message ------
From: "Ted Hardie" <ted.ietf@gmail.com>
To: "Willy Tarreau" <w@1wt.eu>
Cc: "Poul-Henning Kamp" <phk@phk.freebsd.dk>; "Mark Nottingham" 
<mnot@mnot.net>; "Jeroen de Borst" <J.deBorst@f5.com>; "Eric Rescorla" 
<ekr@rtfm.com>; "Martin Thomson" <martin.thomson@gmail.com>; "Roberto 
Peon" <grmocg@gmail.com>; "Phil Hunt" <phil.hunt@oracle.com>; "HTTP 
Working Group" <ietf-http-wg@w3.org>
Sent: 22/07/2014 3:23:07 a.m.
Subject: Re: consensus on :query ?

>On Mon, Jul 21, 2014 at 11:02 AM, Willy Tarreau <w@1wt.eu> wrote:
>>On Mon, Jul 21, 2014 at 02:52:17PM +0000, Poul-Henning Kamp wrote:
>> > In message <37DA5053-17A1-44EC-A0F7-A2BE77252309@mnot.net>, Mark 
>>Nottingham wri
>> > tes:
>> > >
>> > >On 21 Jul 2014, at 10:29 am, Poul-Henning Kamp <phk@phk.freebsd.dk> 
>>=
>> > >wrote:
>> > >
>> > >> In message <mailto:CFF29A8A.13500%25j.deborst@f5.com>, Jeroen de 
>>Borst writes:
>> > >>=20
>> > >>> Does adding :query imply that seeing a '?' in :path now requires 
>>=
>> > >error
>> > >>> handling?
>> > >>=20
>> > >> It be a good idea to make the :query optional to use.
>> > >>=20
>> > >> That way people who care about the compression get it, and people
>> > >> who worry about security impacts can avoid it.
>> > >
>> > >That sounds like an interop nightmare=85 what do you do if there 
>>are =
>> > >both? Lots of edge cases...
>> >
>> > You always append '?' and :query and leave people with the result
>> > the asked for...
>>
>>Not exactly, I'd say you append '?' only if :query is present 
>>(eventhough
>>empty) then append :query.
>>
>>Will
>
>And in the case where there is both :path with a ? and a :query, you 
>then...?  Put in a %3F and the :query?
>Omit the :query?  concatenate the query to the path with the ? or the 
>%3f?
>
>I agree with Mark; making this optional makes no sense.
>
>Ted

Received on Wednesday, 23 July 2014 00:11:59 UTC