W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2021

Re: More on allowed field characters

From: Martin Thomson <mt@lowentropy.net>
Date: Thu, 26 Aug 2021 15:51:32 +1000
Message-Id: <1500c097-2f4e-440b-a930-d3d6af4cffd3@www.fastmail.com>
To: ietf-http-wg@w3.org
On Mon, Aug 23, 2021, at 15:03, Martin Thomson wrote:
> It seems like the allowed characters in fields is a gift that keeps on giving.

Thanks everyone for all the words you gave.

Based on feedback from Willy and Greg in particular, I've taken another go at this:

  https://github.com/httpwg/http2-spec/pull/936/files

It says that:

* fields SHOULD be validated properly (according to HTTP §5.1 and §5.5)

* failure to validate fields might enable attacks, especially if the message ends up in HTTP/1.1 somehow (that is, providing motivation that was lacking from previous iterations on this)

* if fields aren't fully validated, attacks might happen, so minimal validation MUST be performed (with the checks previously agreed)

This does not address Roy's original point directly.  Yes, code that makes assumptions without taking responsibility for checking them might be exposed to the full consequences of poor decisions.  However, I believe that a lot of implementations will abide by the SHOULD here.  This is about levying requirements on implementations that might have expected to avoid having to validate fields; because we've learned that copying and pasting without checking happens.

(I do worry that this is an overreaction.  The original text in the spec was arguably fine.  It was just being ignored.)
Received on Thursday, 26 August 2021 05:52:11 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 26 August 2021 05:52:13 UTC