- From: Ilari Liusvaara <ilariliusvaara@welho.com>
- Date: Thu, 29 Jun 2023 11:26:20 +0300
- To: HTTP Working Group <ietf-http-wg@w3.org>
On Mon, Jun 26, 2023 at 07:14:04AM +0000, Poul-Henning Kamp wrote: > -------- > Mark Nottingham writes: > > > I've merged that PR. If there are lingering issues -- either on Display > > Strings or other parts of the spec -- now is a good time to file them, > > as the issues list for this draft is currently empty. > > I have opened an issue for the fact that > > %"bla\"bla%22" > > and > > %"bla%22bla\"" > > are semantically identical. > > IMO that is an invitation to smuggling attacks which there is no need > at all to codify. Normal SF strings do indeed have property that all legal encodings are unique. Here it is not only encoding printable-range characters that causes the encoding to fail to be unique, it is also case-insensitivity of percent encoding. There are some other issues with characters as well: 1) It allows all the 65 Cc characters, most of which do not do not have any obvious meaning (causing highly non-interoperable behavior at best). Despite being called display strings, so presumably intended for display. And some of those characters might be quite dangerous if dumped raw somewhere (security issues up to critical severity). 2) I think it should be specified that any direction change characters MUST NOT affect any text surrounding the displayed string. At least getting this wrong causes at most some screwed up text rendering. -Ilari
Received on Thursday, 29 June 2023 08:26:30 UTC