- From: Mark Nottingham <mnot@mnot.net>
- Date: Thu, 21 May 2020 12:38:21 +1000
- To: Benjamin Kaduk <kaduk@mit.edu>
- Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-header-structure@ietf.org, httpbis-chairs@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, Tommy Pauly <tpauly@apple.com>
Thanks, Ian C also caught this. Corrected in <https://github.com/httpwg/http-extensions/commit/c23df1c8>. > On 21 May 2020, at 2:23 am, Benjamin Kaduk <kaduk@mit.edu> wrote: > > On Wed, May 20, 2020 at 08:39:03AM -0700, Benjamin Kaduk wrote: >> >>>>>> Section 6 >>>>>> >>>>>> It seems worth mentioning the handling for duplicated key names (e.g., >>>>>> in parameters and dictionaries) w.r.t. overwrite or must-be-unique, and >>>>>> how there have been previous vulnerabilities relating to different >>>>>> implementations choosing "first one wins" vs. "last one wins". >>>>> >>>>> That doesn't seem to apply to a correct implementation, only to headers that *aren't* structured fields. >>>> >>>> It's still motivation for why we are making the choices we did and a >>>> benefit that structured headers have over the existing mechanisms. >>> >>> Right, but that doesn't seem appropriate in Security Considerations; it's more Introduction / motivating material. >>> >>>> Also, it seems to explicitly apply to parameter map keys (per the earlier >>>> discussion). >>> >>> I've added a note to this effect in the Dictionary and Parameter parsing algorithms; see latest commit. > > Hmm, the note says this discards duplicates after the first one, but the > procedures say to overwrite an existing value. Shouldn't the note say > something else? > > -Ben -- Mark Nottingham https://www.mnot.net/
Received on Thursday, 21 May 2020 02:38:41 UTC