Re: WGLC p7: Parsing auth challenges
Julian Reschke <julian.reschke@gmx.de> Tue, 30 April 2013 14:07 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26F2421F9A2D for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 30 Apr 2013 07:07:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l-nB5hGPYYEJ for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 30 Apr 2013 07:07:38 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 6104421F9A06 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 30 Apr 2013 07:07:38 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UXBCn-0005kL-IO for ietf-http-wg-dist@listhub.w3.org; Tue, 30 Apr 2013 14:06:53 +0000
Resent-Date: Tue, 30 Apr 2013 14:06:53 +0000
Resent-Message-Id: <E1UXBCn-0005kL-IO@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <julian.reschke@gmx.de>) id 1UXBCc-0005ia-AA for ietf-http-wg@listhub.w3.org; Tue, 30 Apr 2013 14:06:42 +0000
Received: from mout.gmx.net ([212.227.17.21]) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <julian.reschke@gmx.de>) id 1UXBCb-0000Mb-7X for ietf-http-wg@w3.org; Tue, 30 Apr 2013 14:06:42 +0000
Received: from mailout-de.gmx.net ([10.1.76.31]) by mrigmx.server.lan (mrigmx001) with ESMTP (Nemesis) id 0MgJFg-1U9TN30CwQ-00NhFW for <ietf-http-wg@w3.org>; Tue, 30 Apr 2013 16:06:15 +0200
Received: (qmail invoked by alias); 30 Apr 2013 14:06:14 -0000
Received: from mail.greenbytes.de (EHLO [192.168.1.105]) [217.91.35.233] by mail.gmx.net (mp031) with SMTP; 30 Apr 2013 16:06:14 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1+B7iYkLUKBnsfGM/CplOoSEOT8IiuGdnT3xztrJp u0m5agGkFWEbTq
Message-ID: <517FCFD2.10609@gmx.de>
Date: Tue, 30 Apr 2013 16:06:10 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: John Sullivan <jsullivan@velocix.com>
CC: Ben Niven-Jenkins <ben@niven-jenkins.co.uk>, HTTP Working Group <ietf-http-wg@w3.org>
References: <8F6FB0A1-4D7E-4847-92A7-14B240FAC23A@niven-jenkins.co.uk> <517FAE54.5070801@gmx.de> <517FCAE5.7050507@velocix.com>
In-Reply-To: <517FCAE5.7050507@velocix.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Received-SPF: pass client-ip=212.227.17.21; envelope-from=julian.reschke@gmx.de; helo=mout.gmx.net
X-W3C-Hub-Spam-Status: No, score=-3.4
X-W3C-Hub-Spam-Report: AWL=-3.359, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UXBCb-0000Mb-7X 05500b0baa9225818ceec76df092728e
X-Original-To: ietf-http-wg@w3.org
Subject: Re: WGLC p7: Parsing auth challenges
Archived-At: <http://www.w3.org/mid/517FCFD2.10609@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17727
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 2013-04-30 15:45, John Sullivan wrote: > Julian Reschke wrote: >> On 2013-04-29 20:55, Ben Niven-Jenkins wrote: >>> (And if we don't get something, after whitespace elimination, which is either the end of the header field value or a token after the ",", then the value is invalid and should be rejected.) >> >> You could have an empty list entry, such as in >> >> WWW-Authenticate: Basic realm="foo", , Basic realm="bar" > > Ah yes, of course. I always assume that basic #rule processing, > including eliminating empty entries, has been done at a lower > layer so at this level the comma "doesn't exist" - but if we're > talking about sequences including the "," here, that is an > inconsistent way of describing it. #rule processing can not happen at a lower layer because if requires knowledge of the ABNF for "rule". > (And if we get a non-empty string, after whitespace elimination, > between the "," but before the earlier of either the end of the > header field value or the next ",", which is not a token then the > value is invalid and should be rejected.) > >>> If that interpretation is correct, it would be helpful to state this clearly, rather than merely infer it. (And if that interpretation is not correct, clearly relying on inference alone is unreliable!) >> >> The interpretation is correct. Can you make a more concrete proposal? >> >>> There is perhaps still the question of whether in the face of multiple WWW/Proxy-Authenticate headers, the implied "," separating their values according to #rule is still allowed to operate at both levels of the grammar, or only at the outermost (#challenge) level. >> >> Not sure about what you're asking. Can you provide an example? > > WWW-Authenticate: chal1 param1p1=val , param1p2=val, chal2 param2p1=val > > Should clearly be equivalent to: > > WWW-Authenticate: chal1 param1p1=val , param1p2=val > WWW-Authenticate: chal2 param2p1=val Yes. > It also should (according to the above rules) be equivalent to: > > WWW-Authenticate: chal1 , param1p1=val , param1p2=val, chal2 param2p1=val > > And of course: > > WWW-Authenticate: , chal1 , param1p1=val , param1p2=val, chal2 param2p1=val > > WWW-Authenticate: chal1 , param1p1=val , , param1p2=val, chal2 param2p1=val > > WWW-Authenticate: chal1 , param1p1=val , param1p2=val, chal2 param2p1=val, Yes. > But what about: > > WWW-Authenticate: chal1 param1p1=val > WWW-Authenticate: param1p2=val, chal2 param2p1=val > > This *could* be unambiguously parsed as equivalent to the above, > but feels a bit shakier to allow. OTOH dumb processors assuming > #rule might transform in or out of that form (by breaking on an > arbitrary unencoded comma or squashing any #rule headers into a > single instance). Yes. It's invalid (each header field instance needs to conform to #challenge), but folding it into a single string may make it valid- > On that matter I just also noticed: > > WWW-Authenticate: chal2 > WWW-Authenticate: param2p1=val > > Which looks similar but is probably disallowed by the grammar as > it stands: the param list is optional, but if present must be > separated by 1*SP (and any such you attempted to put in wouldn't > form part of field-value.) It's as invalid as the previous example. > Going back up a bit, compare: > > Apparently allowed: > WWW-Authenticate: chal1 , param1p1=val , param1p2=val, chal2 param2p1=val > > Apparently invalid: > WWW-Authenticate: chal1, param1p1=val , param1p2=val, chal2 param2p1=val > ... Yes. The syntax for WWW-A is a big mess. Not sure what we can do here in the spec though. Best regards, Julian
- WGLC p7: Parsing auth challenges Ben Niven-Jenkins
- Re: WGLC p7: Parsing auth challenges Mark Nottingham
- Re: WGLC p7: Parsing auth challenges Julian Reschke
- Re: WGLC p7: Parsing auth challenges John Sullivan
- Re: WGLC p7: Parsing auth challenges Julian Reschke
- #474, was: WGLC p7: Parsing auth challenges Julian Reschke