Re: WGLC p7: Parsing auth challenges
John Sullivan <jsullivan@velocix.com> Tue, 30 April 2013 13:46 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 043A021F9851 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 30 Apr 2013 06:46:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ynqgtpofS9Hn for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 30 Apr 2013 06:46:23 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id AAA4821F97C5 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 30 Apr 2013 06:46:23 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UXAsO-0002r9-Mu for ietf-http-wg-dist@listhub.w3.org; Tue, 30 Apr 2013 13:45:48 +0000
Resent-Date: Tue, 30 Apr 2013 13:45:48 +0000
Resent-Message-Id: <E1UXAsO-0002r9-Mu@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <JSullivan@velocix.com>) id 1UXAsD-0002aB-Lu for ietf-http-wg@listhub.w3.org; Tue, 30 Apr 2013 13:45:37 +0000
Received: from mail-out1.velocix.com ([81.134.152.10] helo=owa.velocix.com) by lisa.w3.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from <JSullivan@velocix.com>) id 1UXAsC-0007mj-FQ for ietf-http-wg@w3.org; Tue, 30 Apr 2013 13:45:37 +0000
Received: from orthrus.eng.velocix.com (172.18.32.42) by exccam.corp.velocix.com (172.18.4.40) with Microsoft SMTP Server (TLS) id 14.2.247.3; Tue, 30 Apr 2013 14:45:09 +0100
Message-ID: <517FCAE5.7050507@velocix.com>
Date: Tue, 30 Apr 2013 14:45:09 +0100
From: John Sullivan <jsullivan@velocix.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.21) Gecko/20090320 Fedora/2.0.0.21-1.fc10 Thunderbird/2.0.0.21 Mnenhy/0.7.6.666
MIME-Version: 1.0
To: Julian Reschke <julian.reschke@gmx.de>
CC: Ben Niven-Jenkins <ben@niven-jenkins.co.uk>, HTTP Working Group <ietf-http-wg@w3.org>
References: <8F6FB0A1-4D7E-4847-92A7-14B240FAC23A@niven-jenkins.co.uk> <517FAE54.5070801@gmx.de>
In-Reply-To: <517FAE54.5070801@gmx.de>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [172.18.32.42]
Received-SPF: none client-ip=81.134.152.10; envelope-from=JSullivan@velocix.com; helo=owa.velocix.com
X-W3C-Hub-Spam-Status: No, score=-2.5
X-W3C-Hub-Spam-Report: RP_MATCHES_RCVD=-2.509
X-W3C-Scan-Sig: lisa.w3.org 1UXAsC-0007mj-FQ 033627db2a4ba10e97696d1fc6b477ad
X-Original-To: ietf-http-wg@w3.org
Subject: Re: WGLC p7: Parsing auth challenges
Archived-At: <http://www.w3.org/mid/517FCAE5.7050507@velocix.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17726
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Julian Reschke wrote: > On 2013-04-29 20:55, Ben Niven-Jenkins wrote: >> (And if we don't get something, after whitespace elimination, which is either the end of the header field value or a token after the ",", then the value is invalid and should be rejected.) > > You could have an empty list entry, such as in > > WWW-Authenticate: Basic realm="foo", , Basic realm="bar" Ah yes, of course. I always assume that basic #rule processing, including eliminating empty entries, has been done at a lower layer so at this level the comma "doesn't exist" - but if we're talking about sequences including the "," here, that is an inconsistent way of describing it. (And if we get a non-empty string, after whitespace elimination, between the "," but before the earlier of either the end of the header field value or the next ",", which is not a token then the value is invalid and should be rejected.) >> If that interpretation is correct, it would be helpful to state this clearly, rather than merely infer it. (And if that interpretation is not correct, clearly relying on inference alone is unreliable!) > > The interpretation is correct. Can you make a more concrete proposal? > >> There is perhaps still the question of whether in the face of multiple WWW/Proxy-Authenticate headers, the implied "," separating their values according to #rule is still allowed to operate at both levels of the grammar, or only at the outermost (#challenge) level. > > Not sure about what you're asking. Can you provide an example? WWW-Authenticate: chal1 param1p1=val , param1p2=val, chal2 param2p1=val Should clearly be equivalent to: WWW-Authenticate: chal1 param1p1=val , param1p2=val WWW-Authenticate: chal2 param2p1=val It also should (according to the above rules) be equivalent to: WWW-Authenticate: chal1 , param1p1=val , param1p2=val, chal2 param2p1=val And of course: WWW-Authenticate: , chal1 , param1p1=val , param1p2=val, chal2 param2p1=val WWW-Authenticate: chal1 , param1p1=val , , param1p2=val, chal2 param2p1=val WWW-Authenticate: chal1 , param1p1=val , param1p2=val, chal2 param2p1=val, But what about: WWW-Authenticate: chal1 param1p1=val WWW-Authenticate: param1p2=val, chal2 param2p1=val This *could* be unambiguously parsed as equivalent to the above, but feels a bit shakier to allow. OTOH dumb processors assuming #rule might transform in or out of that form (by breaking on an arbitrary unencoded comma or squashing any #rule headers into a single instance). On that matter I just also noticed: WWW-Authenticate: chal2 WWW-Authenticate: param2p1=val Which looks similar but is probably disallowed by the grammar as it stands: the param list is optional, but if present must be separated by 1*SP (and any such you attempted to put in wouldn't form part of field-value.) Going back up a bit, compare: Apparently allowed: WWW-Authenticate: chal1 , param1p1=val , param1p2=val, chal2 param2p1=val Apparently invalid: WWW-Authenticate: chal1, param1p1=val , param1p2=val, chal2 param2p1=val John --
- WGLC p7: Parsing auth challenges Ben Niven-Jenkins
- Re: WGLC p7: Parsing auth challenges Mark Nottingham
- Re: WGLC p7: Parsing auth challenges Julian Reschke
- Re: WGLC p7: Parsing auth challenges John Sullivan
- Re: WGLC p7: Parsing auth challenges Julian Reschke
- #474, was: WGLC p7: Parsing auth challenges Julian Reschke