Re: Publication has been requested for draft-ietf-httpbis-http2bis-05 from Willy Tarreau on 2021-09-28 (ietf-http-wg@w3.org from July to September 2021)

From: Willy Tarreau <w@1wt.eu>
Date: Tue, 28 Sep 2021 12:13:18 +0200
To: Cory Benfield <cory@lukasa.co.uk>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>, Martin Thomson <mt@lowentropy.net>
Message-ID: <20210928101318.GB28759@1wt.eu>

Hi Cory,

On Tue, Sep 28, 2021 at 10:55:03AM +0100, Cory Benfield wrote:
> > I'd have liked that we suggest to be extremely careful about checking
> > dangerous characters in some pseudo headers, which can be abused when
> > concatenated to reconstruct a URI, and for which there are no indications
> > in Semantics since they do not really exist outside of H2. Something like
> > this could have done the job:
> 
> I don't think this is true: -semantics defines these as "Control Data"
> (Section 6.2) and points most of these constructs to other sections.
> 
> For example, method is referenced in Section 9 and given the ABNF
> `token`, which is a stricter constraint than you ask for here. Section
> 7.2 covers :authority and gives it the ABNF uri-host [ ":" port ],
> which again is a stricter constraint. Finally, the http2bis definition
> of :path header calls out that its value is absolute-path, optionally
> followed by ? and query, unless it is *.

I know, but there is one particular case that significantly increases
this risk, which is when you're adding H2 to code already supporting H1
where the controls are performed later by code that you already trust for
doing the right thing with elements extracted from H1. Then you assemble
everything and parse the result via your well-trusted request-line parser.
But it's too late, the space in :method, the "://" in :scheme, the "/" or
space in :authority, or the space in :path have already defined different
delimiters.

> I don't know that we gain much by further constraints unless trying to
> offer intermediaries an off-ramp for less specific enforcement. On the
> other hand, most intermediaries cannot be agnostic to control data, so
> they likely have to police this themselves.

Sure but these are really not natural to process on the output of HPACK,
in part because some of them most of the time come from the static
dictionary itself (:method and :scheme) where nobody expects to find
a ":" in a scheme for example :-/

I mean, it's really easy to get trapped, and the long list of examples
below tends to confirm it:

   https://portswigger.net/research/http2

I'd have liked to at least add that to the security recommendations.

Thanks,
Willy

Received on Tuesday, 28 September 2021 10:13:37 UTC