- From: Benjamin Kaduk <kaduk@mit.edu>
- Date: Wed, 20 May 2020 09:23:05 -0700
- To: Mark Nottingham <mnot@mnot.net>
- Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-header-structure@ietf.org, httpbis-chairs@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, Tommy Pauly <tpauly@apple.com>
On Wed, May 20, 2020 at 08:39:03AM -0700, Benjamin Kaduk wrote: > > > >>> Section 6 > > >>> > > >>> It seems worth mentioning the handling for duplicated key names (e.g., > > >>> in parameters and dictionaries) w.r.t. overwrite or must-be-unique, and > > >>> how there have been previous vulnerabilities relating to different > > >>> implementations choosing "first one wins" vs. "last one wins". > > >> > > >> That doesn't seem to apply to a correct implementation, only to headers that *aren't* structured fields. > > > > > > It's still motivation for why we are making the choices we did and a > > > benefit that structured headers have over the existing mechanisms. > > > > Right, but that doesn't seem appropriate in Security Considerations; it's more Introduction / motivating material. > > > > > Also, it seems to explicitly apply to parameter map keys (per the earlier > > > discussion). > > > > I've added a note to this effect in the Dictionary and Parameter parsing algorithms; see latest commit. Hmm, the note says this discards duplicates after the first one, but the procedures say to overwrite an existing value. Shouldn't the note say something else? -Ben
Received on Wednesday, 20 May 2020 16:23:30 UTC