W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2022

Re: Working Group Last Call: draft-ietf-httpbis-message-signatures-13

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 26 Oct 2022 19:39:27 +0200
Message-ID: <daec9ec1-4b6d-b196-b5e7-ed7722e1fb56@gmx.de>
To: ietf-http-wg@w3.org
On 27.09.2022 01:01, Mark Nottingham wrote:
> ...

I started a review, and I'm finding mostly minor issues so far which
I'll summarize either later or create PRs for).

One thing that *might* be non-trivial is the handling of percent-escaping.

For instance, in
<https://www.ietf.org/archive/id/draft-ietf-httpbis-message-signatures-13.html#section-2.2.6>:

"Namely, an empty path string is normalized as a single slash /
character, and path components are represented by their values after
decoding any percent-encoded octets."

So consider:

POST /foo%2fbar HTTP/1.1
Host: www.example.com

Unescaping %2f to "/" would yield a @path component value of

/foo/bar

is that really intended? I believe we need to have a look at the
following cases:

- escaped characters that otherwise would delimit URI components (such
as "?" or "#")

- escaped characters that otherwise have a special role inside a
component (such as "/" in the path or "&" in a query)

- escaped characters that map to non-ASCII characters (do we care about
encoding schemes, and if so, which?)

- escaped characters that might otherwise be problematic (%00 for instance)

I'm not sure yet what the correct approach would be, but whatever it is,
it should be reflected in the examples.

Best regards, Julian
Received on Wednesday, 26 October 2022 17:39:42 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 28 January 2023 21:29:46 UTC