Re: Call for Adoption: draft-reschke-rfc5987bis

On Tue, Mar 31, 2015 at 04:57:03PM +0900, "Martin J. Dürst" wrote:
> On 2015/03/31 14:42, Willy Tarreau wrote:
> >Also, I'd prefer to make it explicitly forbidden to %-encode US-ASCII
> >characters because this could be used to bypass some WAFs for example :
> >if it is detected that a server implements this standard and is able
> >to %-decode some attributes in header fields, and a WAF in the middle
> >does not, the client can abuse the %-encoding to try to hide some
> >activities.
> This makes a lot of sense, but we have to be careful that this doesn't 
> apply to all US-ASCII characters; there will be some that have to be 
> escaped because of syntactic constraints.

Absolutely, I was making a general point. For sure, commas, semi-colons,
spaces, tabs, quotes for example should be encoded.


Received on Tuesday, 31 March 2015 08:19:30 UTC