Re: p1: BWS

Willy Tarreau <w@1wt.eu> Thu, 18 April 2013 06:04 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE9A721F8F1C for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Apr 2013 23:04:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XgOC5m-u9ZEm for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Apr 2013 23:04:44 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 2041521F8F0E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 17 Apr 2013 23:04:44 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UShwm-0002ZH-Eb for ietf-http-wg-dist@listhub.w3.org; Thu, 18 Apr 2013 06:03:52 +0000
Resent-Date: Thu, 18 Apr 2013 06:03:52 +0000
Resent-Message-Id: <E1UShwm-0002ZH-Eb@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1UShwj-0002Yc-UQ for ietf-http-wg@listhub.w3.org; Thu, 18 Apr 2013 06:03:49 +0000
Received: from 1wt.eu ([62.212.114.60]) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1UShwi-00060G-Vn for ietf-http-wg@w3.org; Thu, 18 Apr 2013 06:03:49 +0000
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id r3I62BdD014144; Thu, 18 Apr 2013 08:02:11 +0200
Date: Thu, 18 Apr 2013 08:02:11 +0200
From: Willy Tarreau <w@1wt.eu>
To: Amos Jeffries <squid3@treenet.co.nz>
Cc: ietf-http-wg@w3.org
Message-ID: <20130418060211.GC13063@1wt.eu>
References: <DB8598D0-7AD8-4A90-806B-E4C7B65118D7@mnot.net> <516F76CB.20406@treenet.co.nz>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <516F76CB.20406@treenet.co.nz>
User-Agent: Mutt/1.4.2.3i
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-3.4
X-W3C-Hub-Spam-Report: AWL=-2.709, RP_MATCHES_RCVD=-0.702, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UShwi-00060G-Vn d03af11eb8890a49708ebb1ae4295935
X-Original-To: ietf-http-wg@w3.org
Subject: Re: p1: BWS
Archived-At: <http://www.w3.org/mid/20130418060211.GC13063@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17327
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Thu, Apr 18, 2013 at 04:30:03PM +1200, Amos Jeffries wrote:
> On 18/04/2013 1:18 p.m., Mark Nottingham wrote:
> >p1 3.2.3 says:
> >
> >>    BWS is used where the grammar allows optional whitespace, for
> >>    historical reasons, but senders SHOULD NOT generate it in messages;
> >>    recipients MUST accept such bad optional whitespace and remove it
> >>    before interpreting the field value or forwarding the message
> >>    downstream.
> >   http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-22#section-3.2.3
> >
> >Throughout our specs, BWS is used at the end of header fields:
> >      header-field   = field-name ":" OWS field-value BWS
> >
> >and in transfer-codings:
> >      transfer-parameter = attribute BWS "=" BWS value
> >
> >and in Expect headers:
> >   expectation  = expect-name [ BWS "=" BWS expect-value]
> >                              *( OWS ";" [ OWS expect-param ] )
> >   expect-param = expect-name [ BWS "=" BWS expect-value ]
> >
> >and, finally, in auth-params on challenges and credentials:
> >   auth-param     = token BWS "=" BWS ( token / quoted-string )
> >
> >Is this whitespace really "bad" enough to MUST-require that intermediaries 
> >(including load balancers and other hardware!) remove it before forwarding 
> >the message?
> 
> For interoperability yes the whitespace is a bit problem. Its presence 
> subtly breaks any implementations looking for tokens with the strict 
> termination delimiter and also opens opportunities for problems related 
> to WS padding headers on maliciously crafted messages.

Agreed, but on the other hand, requiring that some intermediaries that do
not even use these fields to fix them can increase the risk of breaking
something between the client and the server. And since many of them will
not do it anyway, we'll end up with another MUST that is not respected,
so probably a SHOULD would be more appropriate ?

Willy