- From: Willy Tarreau <w@1wt.eu>
- Date: Wed, 1 Apr 2015 21:19:30 +0200
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Apr 01, 2015 at 10:13:23AM +0200, Julian Reschke wrote: > On 2015-03-31 07:42, Willy Tarreau wrote: > >After a quick review, I think we should make it stricter. Currently, > >it suggests that recipients should be prepared to receive invalid code > >sequences but that can be dangerous when passing through multiple > >intermediaries because all of them could have different fallback > >methods. I'd rather make it clear that any recipient in the chain > >which finds an encoding issue must return a 400 bad req. > > a) It's not the case right now. How do you want to get this change > deployed in practice? Just like we said that multiple content-length values are not acceptable if different despite most implementations not doing the check yet. I mean, by not specifying the control, we can leave the hole open. > b) How do you want to signal an error on a *response*? Good point. In haproxy we return a 502 bad gateway when the server returns something unparsable. Only the client receives it and (in rare occasions) reports it. > >Also, I'd prefer to make it explicitly forbidden to %-encode US-ASCII > >characters because this could be used to bypass some WAFs for example : > >if it is detected that a server implements this standard and is able > >to %-decode some attributes in header fields, and a WAF in the middle > >does not, the client can abuse the %-encoding to try to hide some > >activities. > > Yes, that's the case right now. I'd argue that the spec has been out for > ages, so the intermediary ought to be fixed. I had never heard about %-encoding in header fields to be honnest, and I don't know which servers or intermediaries decode them given that unless I'm mistaken, "%" is a valid character in a header field and doesn't imply %-encoding. > >In addition to this, probably that we should make it clear that some > >characters must not be emitted nor encoded (NUL, CR, LF). The risk is > >that some intermediaries decode them and replace them before passing > >the request to the next hop and change the message header structure, > >resulting in issues similar to HTTP request smugling attacks. > > I think that depends on the header field it is used in. That can become delicate. > For instance, > RFC 6266 discusses these constraints for the filename parameter. Indeed, I wasn't aware of this. And it uses the same syntax as in your proposal. > >Otherwise I think it could be useful indeed. > > It already is, and has been for a long time. It's just that I never heard about this. I really think that in the future we should make better use of the 8bit-clean path of HTTP/2 to avoid having to repeat such exceptions, but I'm sure we'll have to go a long way before reaching this stage :-/ Thanks, Willy
Received on Wednesday, 1 April 2015 19:20:01 UTC