Re: [http-state] [Technical Errata Reported] RFC6265 (3663)

Adam Barth <ietf@adambarth.com> Tue, 18 June 2013 09:29 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: http-state@ietfa.amsl.com
Delivered-To: http-state@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2296C21F9DCD for <http-state@ietfa.amsl.com>; Tue, 18 Jun 2013 02:29:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xkupSXLZSCoH for <http-state@ietfa.amsl.com>; Tue, 18 Jun 2013 02:29:38 -0700 (PDT)
Received: from mail-la0-x22d.google.com (mail-la0-x22d.google.com [IPv6:2a00:1450:4010:c03::22d]) by ietfa.amsl.com (Postfix) with ESMTP id BDB4421F9DCE for <http-state@ietf.org>; Tue, 18 Jun 2013 02:29:37 -0700 (PDT)
Received: by mail-la0-f45.google.com with SMTP id fr10so3329967lab.4 for <http-state@ietf.org>; Tue, 18 Jun 2013 02:29:36 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=zPun07ui0o2/H1VD5hXFmcKSc/i10cG/yKk38S6vPwQ=; b=OPI/Nz+0fRa9/6lN+fnN56CeuB1agPjuR94RrQXO1qE1l/exEXG3tX3YiCurcYB/2H q3LPn7uZru6SYgCEinQIwPi7PvwskrNK56dwK0Gc88zn5J/BcdItZC0g7e2au+WdpZcz 3+k2G9cWtCcJTOA9FY24SSj9SZddzJDgUx4jzDEP+Pvwx9X/Wm5f2rLWm4TFCiidps3j pjGfkV1JScl8ucb2+1R3W5gOz7oiExeC2D3isjnQC+U2kgJc9pTUuIHVFjs6U9aUTJDY Vt/3wMNH5kwN8JuzBko9g0hZkaFyvdutjviL2iW4r9cWgeXNCrv3qXiXS4ui+murj0il SbjA==
X-Received: by 10.152.87.81 with SMTP id v17mr8625858laz.1.1371547776403; Tue, 18 Jun 2013 02:29:36 -0700 (PDT)
Received: from mail-lb0-f181.google.com (mail-lb0-f181.google.com [209.85.217.181]) by mx.google.com with ESMTPSA id p6sm6836575lbv.15.2013.06.18.02.29.34 for <http-state@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 18 Jun 2013 02:29:35 -0700 (PDT)
Received: by mail-lb0-f181.google.com with SMTP id w10so3371606lbi.40 for <http-state@ietf.org>; Tue, 18 Jun 2013 02:29:34 -0700 (PDT)
X-Received: by 10.112.155.161 with SMTP id vx1mr660032lbb.78.1371547774582; Tue, 18 Jun 2013 02:29:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.112.81.2 with HTTP; Tue, 18 Jun 2013 02:29:04 -0700 (PDT)
In-Reply-To: <9beb9558a94c434d84a0ccebfe4cc582@BY2PR03MB269.namprd03.prod.outlook.com>
References: <20130618002830.7DF236211A@rfc-editor.org> <7mavr8hhrqsfmcqt77181vqc3g3nl25s1d@hive.bjoern.hoehrmann.de> <9beb9558a94c434d84a0ccebfe4cc582@BY2PR03MB269.namprd03.prod.outlook.com>
From: Adam Barth <ietf@adambarth.com>
Date: Tue, 18 Jun 2013 02:29:04 -0700
Message-ID: <CAJE5ia84biazW1-yOWwUmx94SGLL2daF2PPdWaj6+=5qCaigJg@mail.gmail.com>
To: Dave Thaler <dthaler@microsoft.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQndpD/34dWau9sYfCWvv/MTDITOQZ29mUckqhgwlDvHnbt6oi1YwR+iYqSapCzAoUyVcOFW
Cc: "presnick@qti.qualcomm.com" <presnick@qti.qualcomm.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, "http-state@ietf.org" <http-state@ietf.org>, "barryleiba@computer.org" <barryleiba@computer.org>, RFC Errata System <rfc-editor@rfc-editor.org>
Subject: Re: [http-state] [Technical Errata Reported] RFC6265 (3663)
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jun 2013 09:29:39 -0000

On Mon, Jun 17, 2013 at 5:45 PM, Dave Thaler <dthaler@microsoft.com>; wrote:
> Thanks Bjoern.
>
> Interesting, well in that case there may be an issue in the RFC 6265 algorithm for path matching.
> That's because it requires comparison for "identical" and "ab", "AB", "aB", and "Ab" are not "identical".
>
> So
> http://www.example.com/%AB/foo
> http://www.example.com/%ab/foo
> http://www.example.com/%Ab/foo
> http://www.example.com/%aB/foo
>
> are all "equivalent" in the language of RFC 3986, but not "identical" and hence a cookie on one will not match the others.

The path-match algorithm does exactly what it says.  Even though RFC
3986 might say that those strings are equivalent in some sense
(perhaps as URIs?), the path-match algorithm in RFC 6265 treats them
differently.  In particularly, they're not identical and the
path-match algorithm will likely return "false" for one or more of
them.

> It may still be worth having an errata noting the above issue, even if it's Hold For Document Update.

As far as I can tell, the errata is incorrect.

On Mon, Jun 17, 2013 at 6:04 PM, Dave Thaler <dthaler@microsoft.com>; wrote:
> I checked with one of the test teams at Microsoft and got this back:
>
>> There is a gap in the RFCs 3986 and 6265. RFC 3986 talks about the URI path and equivalence of
>> encoded Unicode characters in the path section of the URI.

I don't believe there is a gap.

>> However, RFC 6265 section 5.1.4
>> does not specifically state that the pre-fix match should be done on the unescaped URL path.

RFC 6265 gives a complete description of how to perform a path-match.
A compliant implementation will appear to operate as if it does
exactly what the specification says to do.  Given that RFC 6265
doesn't say to unescape the path, that means you ought not unescape
the path.

>> All the browsers we tested against (IE, Chrome, Firefox) do this case-sensitive prefix matching
>> before sending the cookies to the other page.

Indeed.

>> For IIS applications created with Unicode characters, IIS converts the escaped characters
>> (like %0D%0C) to lower case, and they are justified since the URI spec clearly calls out that they
>> are equivalent.

IIS is welcome to do that by the URI spec.  However, the strings are
not treated equivalently by RFC 6265.

>> When one page re-directs to another in IIS application, the cookies set for the
>> first page are not presented to the application on the other pages. This problem exists with
>> the cookie handling by all the browsers we tested against (IE, Chrome, Firefox). This is due to
>> the gap I explained above.

I don't see that as a problem.  All the implementations are
interoperating perfectly and matching the specification.  It sounds
like IIS has some undesirable behavior that its authors might want to
modify.  In any case, there's nothing to change about RFC 6265.  The
specification and the implementations are identical on this point.

Adam


> -----Original Message-----
> From: Bjoern Hoehrmann [mailto:derhoermi@gmx.net]
> Sent: Monday, June 17, 2013 5:36 PM
> To: RFC Errata System
> Cc: abarth@eecs.berkeley.edu; barryleiba@computer.org; presnick@qti.qualcomm.com; Jeff.Hodges@kingsmountain.com; Dave Thaler; http-state@ietf.org
> Subject: Re: [http-state] [Technical Errata Reported] RFC6265 (3663)
>
> * RFC Errata System wrote:
>>Notes
>>-----
>>HEXDIG is defined in [RFC5234], Appendix B.1 as
>>  HEXDIG         =  DIGIT / "A" / "B" / "C" / "D" / "E" / "F"
>>Note that lower case a-f are not legal.
>
> As per RFC 5234:
>
>    NOTE:
>
>       ABNF strings are case insensitive and the character set for these
>       strings is US-ASCII.
>
>    Hence:
>
>          rulename = "abc"
>
>    and:
>
>          rulename = "aBc"
>
>    will match "abc", "Abc", "aBc", "abC", "ABc", "aBC", "AbC", and
>    "ABC".
> --
> Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
> 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
>
>
>