p1: whitespace in request-target

Mark Nottingham <mnot@mnot.net> Thu, 18 April 2013 00:50 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E948D21E80D7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Apr 2013 17:50:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.349
X-Spam-Level:
X-Spam-Status: No, score=-9.349 tagged_above=-999 required=5 tests=[AWL=1.250, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ie8XBu4ZY4Vz for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Apr 2013 17:50:59 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id E367D21E8043 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 17 Apr 2013 17:50:58 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1USd2n-0000d8-6a for ietf-http-wg-dist@listhub.w3.org; Thu, 18 Apr 2013 00:49:45 +0000
Resent-Date: Thu, 18 Apr 2013 00:49:45 +0000
Resent-Message-Id: <E1USd2n-0000d8-6a@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1USd2k-0000cT-R6 for ietf-http-wg@listhub.w3.org; Thu, 18 Apr 2013 00:49:42 +0000
Received: from mxout-07.mxes.net ([216.86.168.182]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1USd2k-0002ey-3e for ietf-http-wg@w3.org; Thu, 18 Apr 2013 00:49:42 +0000
Received: from [192.168.1.80] (unknown [118.209.210.200]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 49A1722E200; Wed, 17 Apr 2013 20:49:13 -0400 (EDT)
From: Mark Nottingham <mnot@mnot.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Date: Thu, 18 Apr 2013 10:49:10 +1000
Message-Id: <2183465A-F833-4701-A55C-EC105A36329E@mnot.net>
Cc: Amos Jeffries <squid3@treenet.co.nz>, Roy Fielding <fielding@gbiv.com>
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
X-Mailer: Apple Mail (2.1503)
Received-SPF: pass client-ip=216.86.168.182; envelope-from=mnot@mnot.net; helo=mxout-07.mxes.net
X-W3C-Hub-Spam-Status: No, score=-3.4
X-W3C-Hub-Spam-Report: AWL=-3.371, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1USd2k-0002ey-3e ce528409decfd6bc36e24382a701b099
X-Original-To: ietf-http-wg@w3.org
Subject: p1: whitespace in request-target
Archived-At: <http://www.w3.org/mid/2183465A-F833-4701-A55C-EC105A36329E@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17320
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

p1 3.1.1 says:

> Unfortunately, some user agents fail to properly encode hypertext references that have embedded whitespace, sending the characters directly instead of properly encoding or excluding the disallowed characters. Recipients of an invalid request-line SHOULD respond with either a 400 (Bad Request) error or a 301 (Moved Permanently) redirect with the request-target properly encoded. Recipients SHOULD NOT attempt to autocorrect and then process the request without a redirect, since the invalid request-line might be deliberately crafted to bypass security filters along the request chain.

  http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-22#section-3.1.1

I note that the practice of correcting this is fairly widespread; e.g., in Squid, the default is to strip the whitespace, and IIRC has been for some time:

  http://www.squid-cache.org/Doc/config/uri_whitespace/

I think that the Squid documentation needs to be corrected, because the text in RFC2396 (and later in 3986) is about URIs in contexts like books, e-mail and so forth, not protocol elements:

  http://tools.ietf.org/html/rfc3986#appendix-C

My question is why this is a SHOULD / SHOULD NOT. We say that SHOULD-level requirements affect conformance unless there's a documented exception here:

  http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-22#section-2.5

... but these requirements don't mention any exceptions. Is the security risk here high enough to justify a MUST / MUST NOT? If not, they probably need to be downgraded to ought (or an exception needs to be highlighted).

Cheers,


--
Mark Nottingham   http://www.mnot.net/