- From: Mark Nottingham <mnot@mnot.net>
- Date: Mon, 1 Oct 2007 09:17:34 +1000
- To: Elliotte Harold <erharold@gmail.com>
- Cc: uri@w3.org, elharo@metalab.unc.edu
Thanks, Elliotte. I agree that we haven't thought enough about
security yet; that section was more of a placeholder than anything else.
Cheers,
On 30/09/2007, at 8:10 PM, Elliotte Harold wrote:
> I've just read the URI templating draft spec. Looks good overall,
> except for section 4 which feels like it should be expanded.
> Section 4 reads:
>
>
> 4. Security Considerations
>
> A URI Template does not contain active or executable content. Other
> security considerations are the same as those for URIs, see section 7
> of RFC3986.I am concerned that this is insufficiently "creative" in
> imagining possible attacks. In particular, I suspect that URI
> templates might be able to pass "bad" URIs through systems that
> would recognize and reject them if they were passed through as an
> expanded URI.
>
> Just maybe, it would be possible to run in reverse where a URI such
> as http://www.example.com/%7Bfoo%7D gets turned into http://
> www.example.com/{foo} and gets snuck into a system that will
> process the URI template.
>
> Likely these would rely on application bugs or omissions.
> Nonetheless these are not bugs or omissions that would cause
> problems today, so they may exist in current software and doubtless
> in careless software written in the future. Section 4 should
> consider such problems and warn readers about them.
>
> --
> Elliotte Rusty Harold
> erharold@gmail.com
--
Mark Nottingham http://www.mnot.net/
Received on Sunday, 30 September 2007 23:19:19 UTC