- From: Willy Tarreau <w@1wt.eu>
- Date: Tue, 28 Sep 2021 10:56:43 +0200
- To: Mark Nottingham <mnot@mnot.net>
- Cc: ietf-http-wg@w3.org, Martin Thomson <mt@lowentropy.net>, Cory Benfield <cory@lukasa.co.uk>
Hi Mark, Martin, Cory
On Mon, Sep 27, 2021 at 04:00:15PM -0700, Mark Nottingham via Datatracker wrote:
> Mark Nottingham has requested publication of draft-ietf-httpbis-http2bis-05 as Proposed Standard on behalf of the HTTPBIS working group.
>
> Please verify the document's state at https://datatracker.ietf.org/doc/draft-ietf-httpbis-http2bis/
>
Sadly, it seems we've missed that part that we were discussing with
Martin earlier this month:
https://github.com/httpwg/http2-spec/pull/936#issuecomment-910260086
I'd have liked that we suggest to be extremely careful about checking
dangerous characters in some pseudo headers, which can be abused when
concatenated to reconstruct a URI, and for which there are no indications
in Semantics since they do not really exist outside of H2. Something like
this could have done the job:
In addition, implementations that operate on a URI or request line
reconstructed from the concatenation of :method, :scheme, :authority,
and :path SHOULD validate each of these fields individually and
according to the rules in RFC3986#3 and MUST at least perform this
minimal validation:
- none of the aforementioned pseudo-header field values contains any
character among NUL/CR/LF/LWS
- :scheme does not contain the COLON character
- :path exclusively starts with "/" or "*"
Failure to do so exposes the implementation to risks of request smuggling
attacks or authority splitting.
I guess it's too late if the publication request was sent, but I prefer
to ask just in case...
Thanks,
Willy
Received on Tuesday, 28 September 2021 08:57:04 UTC