Re: New Version Notification for draft-kamp-httpbis-structure-01.txt (fwd) from Kazuho Oku on 2016-11-17 (ietf-http-wg@w3.org from October to December 2016)

From: Kazuho Oku <kazuhooku@gmail.com>
Date: Thu, 17 Nov 2016 10:06:04 +0900
To: Poul-Henning Kamp <phk@critter.freebsd.dk>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CANatvzx5RSnnN9ybqh6tRqKV=7NVO+PTpgAuVUU+6JuKGFtczg@mail.gmail.com>

Hi,

Thank you for writing the draft.

Regarding the numbers, could we either exclude floating point from the
specification or state that an integral number MUST be encoded without
using a dot?

The reason I ask is because it is hard to correctly implement a parser
for floating point numbers, and a bug in the parser would likely lead
to a vulnerability [1]. Note that in some (if not most) of the
programming languages you would need to implement your own number
parser to meet the needs. For example, you cannot use sscanf in C,
because depending on the locale the function allows use of decimal
points other than '.'.

If we could exclude floating point numbers from the specification
entirely or have a restriction something like above, parser
implementors can refrain from implementing their own floating point
number parsers until the specification in which they are interested in
actually start using the notation.

Non-integral numbers are rarely used in the HTTP headers. The only one
I can recall is the q value of Accept-Encoding, but it is not a
floating-point but actually a fixed-point number (of three decimals
below the point), which could have been represented by using integral
numbers between 0 to 1000.

     weight = OWS ";" OWS "q=" qvalue
     qvalue = ( "0" [ "." 0*3DIGIT ] )
            / ( "1" [ "." 0*3("0") ] )


[1] https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0154.html

2016-10-31 3:59 GMT+09:00 Poul-Henning Kamp <phk@critter.freebsd.dk>:
> Updated in preparation for WG discussion in Seoul.
>
> Minor changes only.
>
> Github repo:    https://github.com/bsdphk/id_common_structure
>
>
> ------- Forwarded Message
>
> A new version of I-D, draft-kamp-httpbis-structure-01.txt
> has been successfully submitted by Poul-Henning Kamp and posted to the
> IETF repository.
>
> Name:           draft-kamp-httpbis-structure
> Revision:       01
> Title:          HTTP header common structure
> Document date:  2016-10-30
> Group:          Individual Submission
> Pages:          13
> URL:            https://www.ietf.org/internet-drafts/draft-kamp-httpbis-structure-01.txt
> Status:         https://datatracker.ietf.org/doc/draft-kamp-httpbis-structure/
> Htmlized:       https://tools.ietf.org/html/draft-kamp-httpbis-structure-01
> Diff:           https://www.ietf.org/rfcdiff?url2=draft-kamp-httpbis-structure-01
>
> Abstract:
>   An abstract data model for HTTP headers, "Common Structure", and a
>   HTTP/1 serialization of it, generalized from current HTTP headers.
>
> ------- End of Forwarded Message
>
>
> --
> Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
> phk@FreeBSD.ORG         | TCP/IP since RFC 956
> FreeBSD committer       | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by incompetence..
>
>
>



-- 
Kazuho Oku

Received on Thursday, 17 November 2016 01:06:38 UTC