W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: Call for Adoption: draft-reschke-rfc5987bis

From: Willy Tarreau <w@1wt.eu>
Date: Tue, 31 Mar 2015 10:19:01 +0200
To: Martin J. Dürst <duerst@it.aoyama.ac.jp>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20150331081901.GA7183@1wt.eu>
On Tue, Mar 31, 2015 at 04:57:03PM +0900, "Martin J. Dürst" wrote:
> On 2015/03/31 14:42, Willy Tarreau wrote:
> >Also, I'd prefer to make it explicitly forbidden to %-encode US-ASCII
> >characters because this could be used to bypass some WAFs for example :
> >if it is detected that a server implements this standard and is able
> >to %-decode some attributes in header fields, and a WAF in the middle
> >does not, the client can abuse the %-encoding to try to hide some
> >activities.
> 
> This makes a lot of sense, but we have to be careful that this doesn't 
> apply to all US-ASCII characters; there will be some that have to be 
> escaped because of syntactic constraints.

Absolutely, I was making a general point. For sure, commas, semi-colons,
spaces, tabs, quotes for example should be encoded.

Willy
Received on Tuesday, 31 March 2015 08:19:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:43 UTC