W3C home > Mailing lists > Public > uri@w3.org > September 2007

Re: Security issues in URI templates

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 1 Oct 2007 09:17:34 +1000
Message-Id: <21A2124B-7317-4E92-8F66-D32AA4317462@mnot.net>
Cc: uri@w3.org, elharo@metalab.unc.edu
To: Elliotte Harold <erharold@gmail.com>

Thanks, Elliotte. I agree that we haven't thought enough about  
security yet; that section was more of a placeholder than anything else.


On 30/09/2007, at 8:10 PM, Elliotte Harold wrote:

> I've just read the URI templating draft spec. Looks good overall,  
> except for section 4 which feels like it should be expanded.  
> Section 4 reads:
> 4. Security Considerations
> A URI Template does not contain active or executable content. Other
> security considerations are the same as those for URIs, see section 7
> of RFC3986.I am concerned that this is insufficiently "creative" in  
> imagining possible attacks. In particular, I suspect that URI  
> templates might be able to pass "bad" URIs through systems that  
> would recognize and reject them if they were passed through as an  
> expanded URI.
> Just maybe, it would be possible to run in reverse where a URI such  
> as http://www.example.com/%7Bfoo%7D gets turned into http:// 
> www.example.com/{foo} and gets snuck into a system that will  
> process the URI template.
> Likely these would rely on application bugs or omissions.  
> Nonetheless these are not bugs or omissions that would cause  
> problems today, so they may exist in current software and doubtless  
> in careless software written in the future. Section 4 should  
> consider such problems and warn readers about them.
> -- 
> Elliotte Rusty Harold
> erharold@gmail.com

Mark Nottingham     http://www.mnot.net/
Received on Sunday, 30 September 2007 23:19:19 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:25:11 UTC