- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 26 Oct 2022 19:39:27 +0200
- To: ietf-http-wg@w3.org
On 27.09.2022 01:01, Mark Nottingham wrote: > ... I started a review, and I'm finding mostly minor issues so far which I'll summarize either later or create PRs for). One thing that *might* be non-trivial is the handling of percent-escaping. For instance, in <https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-13.html#section-2.2.6>: "Namely, an empty path string is normalized as a single slash / character, and path components are represented by their values after decoding any percent-encoded octets." So consider: POST /foo%2fbar HTTP/1.1 Host: www.example.com Unescaping %2f to "/" would yield a @path component value of /foo/bar is that really intended? I believe we need to have a look at the following cases: - escaped characters that otherwise would delimit URI components (such as "?" or "#") - escaped characters that otherwise have a special role inside a component (such as "/" in the path or "&" in a query) - escaped characters that map to non-ASCII characters (do we care about encoding schemes, and if so, which?) - escaped characters that might otherwise be problematic (%00 for instance) I'm not sure yet what the correct approach would be, but whatever it is, it should be reflected in the examples. Best regards, Julian
Received on Wednesday, 26 October 2022 17:39:42 UTC