[Errata Rejected] RFC9110 (8138) from RFC Errata System on 2024-10-29 (ietf-http-wg@w3.org from October to December 2024)

From: RFC Errata System <rfc-editor@rfc-editor.org>
Date: Tue, 29 Oct 2024 08:02:19 -0700 (PDT)
To: roybarkayyosef@gmail.com, fielding@gbiv.com, mnot@mnot.net, julian.reschke@greenbytes.de
Cc: francesca.palombini@ericsson.com, iesg@ietf.org, ietf-http-wg@w3.org, rfc-editor@rfc-editor.org
Message-Id: <20241029150219.E4DCB7F9E1@rfcpa.rfc-editor.org>

The following errata report has been rejected for RFC9110,
"HTTP Semantics".

--------------------------------------
You may review the report below and at:
https://www.rfc-editor.org/errata/eid8138

--------------------------------------
Status: Rejected
Type: Technical

Reported by: Roy Yosef Barkay, Tomer Yair <roybarkayyosef@gmail.com>
Date Reported: 2024-10-12
Rejected by: Francesca Palombini (IESG)

Section: 15.4

Original Text
-------------
   5.  If the request method has been changed to GET or HEAD, remove
       content-specific header fields, including (but not limited to)
       Content-Encoding, Content-Language, Content-Location,
       Content-Type, Content-Length, Digest, Last-Modified.

Corrected Text
--------------
6.If a redirect request includes a target uri of 
redirect link (a recursive redirect request) 
such as: http://example.com/reditectto=
""http://example.com/redirecto="http://bad.examaple.com"" 
a redirect to http://example.com/redirecto="http://bad.examaple.com" 
should be made and than to 
http://bad.examaple.com that way the security 
messures to redirect to another domain may take place

Notes
-----
currently the rfc doesn't indicate how web server and 
browsers should handle recursive rerdirect such as 
http://example.com/reditectto="http://example.com/redirecto="http://bad.examaple.com"" 
therefore i was able to abuse this behavior to gain 
cve and exploitation on web server for 2 main resoans 
1. redirect allowed only to same domain logic : with regex on 
the parameter "gooddomain.com/.*" which works as intended for the escape of the domain part in the uri but doesnt handle a case where there is a recursive request which is handled by server side.
2. out of domain control which gives the user a choice to know and 
approve the moving to another domain because the server views the 
request as to the same domain

the correct text should come after number 5
 --VERIFIER NOTES-- 

In rejecting this errata report, I note that the aim of this erratum is not to fix an apparent error, but an addition to the current tex. This sort of text change is not in scope for errata reports, which are meant to collect errors in the documents, things that were actual errors at publication and that would have been fixed at that time had the working group or document authors noticed them -- they were just missed. This is not the case here.

Additionally, cyclical redirections are already addressed for clients, and are not relevant for servers, see: https://mailarchive.ietf.org/arch/msg/httpbisa/o3-eUDiKUiC_nWi-5s1wOOmMesU/ for details.

--------------------------------------
RFC9110 (draft-ietf-httpbis-semantics-19)
--------------------------------------
Title               : HTTP Semantics
Publication Date    : June 2022
Author(s)           : R. Fielding, Ed., M. Nottingham, Ed., J. Reschke, Ed.
Category            : INTERNET STANDARD
Source              : HTTP
Stream              : IETF
Verifying Party     : IESG

Received on Tuesday, 29 October 2024 15:02:25 UTC