W3C home > Mailing lists > Public > uri@w3.org > September 2007

Security issues in URI templates

From: Elliotte Harold <erharold@gmail.com>
Date: Sun, 30 Sep 2007 06:10:10 -0400
Message-ID: <49aa580c0709280621g542d52b6g893316d43165038e@mail.gmail.com>
To: uri@w3.org
Cc: elharo@metalab.unc.edu
I've just read the URI templating draft spec. Looks good overall,
except for section 4 which feels like it should be expanded. Section 4

4.  Security Considerations

   A URI Template does not contain active or executable content.  Other
   security considerations are the same as those for URIs, see section 7
   of RFC3986.

I am concerned that this is insufficiently "creative" in imagining possible
attacks. In particular, I suspect that URI templates might be able to pass
"bad" URIs through systems that would recognize and reject them if they were
passed through as an expanded URI.

Just maybe, it would be possible to run in reverse where a URI such as
http://www.example.com/%7Bfoo%7D gets turned into
http://www.example.com/{foo} and gets snuck into a system that will process
the URI template.

Likely these would rely on application bugs or omissions. Nonetheless these
are not bugs or omissions that would cause problems today, so they may exist
in current software and doubtless in careless software written in the
future. Section 4 should consider such problems and warn readers about them.

Elliotte Rusty Harold
Received on Sunday, 30 September 2007 10:10:21 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:25:11 UTC