Re: Publication has been requested for draft-ietf-httpbis-http2bis-05 from Cory Benfield on 2021-09-28 (ietf-http-wg@w3.org from July to September 2021)

From: Cory Benfield <cory@lukasa.co.uk>
Date: Tue, 28 Sep 2021 10:55:03 +0100
To: Willy Tarreau <w@1wt.eu>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>, Martin Thomson <mt@lowentropy.net>
Message-ID: <CAH_hAJE-Rbys_J6g-P-PKcjYJwLEpd9q4je4WCt+d8f00w5bcA@mail.gmail.com>

On Tue, 28 Sept 2021 at 09:56, Willy Tarreau <w@1wt.eu> wrote:
>
> Hi Mark, Martin, Cory
>
> On Mon, Sep 27, 2021 at 04:00:15PM -0700, Mark Nottingham via Datatracker wrote:
> > Mark Nottingham has requested publication of draft-ietf-httpbis-http2bis-05 as Proposed Standard on behalf of the HTTPBIS working group.
> >
> > Please verify the document's state at https://datatracker.ietf.org/doc/draft-ietf-httpbis-http2bis/
> >
>
> Sadly, it seems we've missed that part that we were discussing with
> Martin earlier this month:
>
>    https://github.com/httpwg/http2-spec/pull/936#issuecomment-910260086
>
> I'd have liked that we suggest to be extremely careful about checking
> dangerous characters in some pseudo headers, which can be abused when
> concatenated to reconstruct a URI, and for which there are no indications
> in Semantics since they do not really exist outside of H2. Something like
> this could have done the job:

I don't think this is true: -semantics defines these as "Control Data"
(Section 6.2) and points most of these constructs to other sections.

For example, method is referenced in Section 9 and given the ABNF
`token`, which is a stricter constraint than you ask for here. Section
7.2 covers :authority and gives it the ABNF uri-host [ ":" port ],
which again is a stricter constraint. Finally, the http2bis definition
of :path header calls out that its value is absolute-path, optionally
followed by ? and query, unless it is *.

I don't know that we gain much by further constraints unless trying to
offer intermediaries an off-ramp for less specific enforcement. On the
other hand, most intermediaries cannot be agnostic to control data, so
they likely have to police this themselves.

>
>   In addition, implementations that operate on a URI or request line
>   reconstructed from the concatenation of :method, :scheme, :authority,
>   and :path SHOULD validate each of these fields individually and
>   according to the rules in RFC3986#3 and MUST at least perform this
>   minimal validation:
>     - none of the aforementioned pseudo-header field values contains any
>       character among NUL/CR/LF/LWS
>     - :scheme does not contain the COLON character
>     - :path exclusively starts with "/" or "*"
>
>   Failure to do so exposes the implementation to risks of request smuggling
>   attacks or authority splitting.
>
> I guess it's too late if the publication request was sent, but I prefer
> to ask just in case...
>
> Thanks,
> Willy

Received on Tuesday, 28 September 2021 09:55:28 UTC