Re: #409: is parsing OBS-FOLD mandatory?
Willy Tarreau <w@1wt.eu> Wed, 12 December 2012 21:21 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2C7D21F8975 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 12 Dec 2012 13:21:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.364
X-Spam-Level:
X-Spam-Status: No, score=-10.364 tagged_above=-999 required=5 tests=[AWL=0.235, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 97MHUEntE0cD for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 12 Dec 2012 13:21:35 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 9062921F84CF for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 12 Dec 2012 13:21:31 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Titi5-0005Ta-Of for ietf-http-wg-dist@listhub.w3.org; Wed, 12 Dec 2012 21:19:21 +0000
Resent-Date: Wed, 12 Dec 2012 21:19:21 +0000
Resent-Message-Id: <E1Titi5-0005Ta-Of@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1Tithx-0005SC-Se for ietf-http-wg@listhub.w3.org; Wed, 12 Dec 2012 21:19:13 +0000
Received: from 1wt.eu ([62.212.114.60]) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1Tithv-0003Yq-RL for ietf-http-wg@w3.org; Wed, 12 Dec 2012 21:19:13 +0000
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id qBCLIcCR021434; Wed, 12 Dec 2012 22:18:38 +0100
Date: Wed, 12 Dec 2012 22:18:38 +0100
From: Willy Tarreau <w@1wt.eu>
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Mark Nottingham <mnot@mnot.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <20121212211838.GC19220@1wt.eu>
References: <12F24972-5720-40B7-BF17-3A1955752199@mnot.net> <1D461B53-7FF5-41EB-A891-5B309F116DF0@gbiv.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1D461B53-7FF5-41EB-A891-5B309F116DF0@gbiv.com>
User-Agent: Mutt/1.4.2.3i
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-3.1
X-W3C-Hub-Spam-Report: AWL=-3.048, RP_MATCHES_RCVD=-0.024, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1Tithv-0003Yq-RL cd87b40023b913566fc3504002132d49
X-Original-To: ietf-http-wg@w3.org
Subject: Re: #409: is parsing OBS-FOLD mandatory?
Archived-At: <http://www.w3.org/mid/20121212211838.GC19220@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/15771
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Wed, Dec 12, 2012 at 10:18:28AM -0800, Roy T. Fielding wrote: (...) > > """ > > If a received protocol element is processed, the recipient MUST be able to parse any value that would match the ABNF rules for that protocol element, excluding only those rules not applicable to the recipient's role, and those rules whose names begin with "obs-" (e.g., obs-fold). > > """ > > Do we really want to exclude non-ASCII octets (obs-text) and older > date formats (obs-date)? Do we demote them to SHOULD or MAY? This is a good point. Line-folding causes security issues and does not seem to be used by senders, but I think we all regularly catch some obs-text and obs-date come from old applications or crippled devices. > This change is fine with me, but it is a hard break from retaining > compatibility and we need to be absolutely sure we want to do that. I'd rather not break these ones, personally. Couldn't we settle on just stating that obs-fold is normally not used, is known to cause security issues when improperly implemented, and should either be completely supported, or rejected, but in all cases must be detected ? Willy
- #409: is parsing OBS-FOLD mandatory? Mark Nottingham
- Re: #409: is parsing OBS-FOLD mandatory? Amos Jeffries
- Re: #409: is parsing OBS-FOLD mandatory? Willy Tarreau
- Re: #409: is parsing OBS-FOLD mandatory? Roy T. Fielding
- Re: #409: is parsing OBS-FOLD mandatory? Willy Tarreau
- Re: #409: is parsing OBS-FOLD mandatory? Amos Jeffries
- Re: #409: is parsing OBS-FOLD mandatory? Mark Nottingham
- Re: #409: is parsing OBS-FOLD mandatory? Mark Nottingham
- Re: #409: is parsing OBS-FOLD mandatory? Willy Tarreau
- Re: #409: is parsing OBS-FOLD mandatory? Mark Nottingham
- Re: #409: is parsing OBS-FOLD mandatory? Willy Tarreau
- Re: #409: is parsing OBS-FOLD mandatory? Mark Nottingham
- Re: #409: is parsing OBS-FOLD mandatory? Mark Nottingham
- Re: #409: is parsing OBS-FOLD mandatory? Willy Tarreau
- Re: #409: is parsing OBS-FOLD mandatory? Mark Nottingham
- Re: #409: is parsing OBS-FOLD mandatory? Willy Tarreau