- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 01 Apr 2015 21:44:45 +0200
- To: Willy Tarreau <w@1wt.eu>
- CC: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 2015-04-01 21:19, Willy Tarreau wrote: > On Wed, Apr 01, 2015 at 10:13:23AM +0200, Julian Reschke wrote: >> On 2015-03-31 07:42, Willy Tarreau wrote: >>> After a quick review, I think we should make it stricter. Currently, >>> it suggests that recipients should be prepared to receive invalid code >>> sequences but that can be dangerous when passing through multiple >>> intermediaries because all of them could have different fallback >>> methods. I'd rather make it clear that any recipient in the chain >>> which finds an encoding issue must return a 400 bad req. >> >> a) It's not the case right now. How do you want to get this change >> deployed in practice? > > Just like we said that multiple content-length values are not acceptable > if different despite most implementations not doing the check yet. I mean, > by not specifying the control, we can leave the hole open. I don't think that there *is* a hole. >> b) How do you want to signal an error on a *response*? > > Good point. In haproxy we return a 502 bad gateway when the server > returns something unparsable. Only the client receives it and (in > rare occasions) reports it. For Content-Disposition, this would likely break things that "work" today (for some value of "work"). >>> Also, I'd prefer to make it explicitly forbidden to %-encode US-ASCII >>> characters because this could be used to bypass some WAFs for example : >>> if it is detected that a server implements this standard and is able >>> to %-decode some attributes in header fields, and a WAF in the middle >>> does not, the client can abuse the %-encoding to try to hide some >>> activities. >> >> Yes, that's the case right now. I'd argue that the spec has been out for >> ages, so the intermediary ought to be fixed. > > I had never heard about %-encoding in header fields to be honnest, > and I don't know which servers or intermediaries decode them given > that unless I'm mistaken, "%" is a valid character in a header field > and doesn't imply %-encoding. You may want to re-read the spec. It only applies to specific parameter names ending in "*". >>> In addition to this, probably that we should make it clear that some >>> characters must not be emitted nor encoded (NUL, CR, LF). The risk is >>> that some intermediaries decode them and replace them before passing >>> the request to the next hop and change the message header structure, >>> resulting in issues similar to HTTP request smugling attacks. >> >> I think that depends on the header field it is used in. > > That can become delicate. It doesn't seem to be a problem today. >> For instance, >> RFC 6266 discusses these constraints for the filename parameter. > > Indeed, I wasn't aware of this. And it uses the same syntax as in > your proposal. It uses the encoding defined in RFC 5987, and that's the spec we would be revising here. >>> Otherwise I think it could be useful indeed. >> >> It already is, and has been for a long time. > > It's just that I never heard about this. > > I really think that in the future we should make better use of the > 8bit-clean path of HTTP/2 to avoid having to repeat such exceptions, > but I'm sure we'll have to go a long way before reaching this stage :-/ I agree, but that's a completely orthogonal project. Best regards, Julian
Received on Wednesday, 1 April 2015 19:45:39 UTC