IETF Logo Mail Archive

Re: Consensus call to include Display Strings in draft-ietf-httpbis-sfbis

Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 29 June 2023 08:26 UTC

Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <ilariliusvaara@welho.com>) id 1qEmz0-00EKEy-7Z for ietf-http-wg@listhub.w3.org; Thu, 29 Jun 2023 08:26:30 +0000
Received: from welho-filter1b.welho.com ([83.102.41.27] helo=welho-filter1.welho.com) by titan.w3.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <ilariliusvaara@welho.com>) id 1qEmyy-005ZlO-BW for ietf-http-wg@w3.org; Thu, 29 Jun 2023 08:26:29 +0000
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 2987D1B248 for <ietf-http-wg@w3.org>; Thu, 29 Jun 2023 11:26:22 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id jogAWglMi2Dx for <ietf-http-wg@w3.org>; Thu, 29 Jun 2023 11:26:22 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-94-129-82.rev.dnainternet.fi [87.94.129.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id DFE332309 for <ietf-http-wg@w3.org>; Thu, 29 Jun 2023 11:26:20 +0300 (EEST)
Date: Thu, 29 Jun 2023 11:26:20 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <ZJ1ALI5LKxHb7BSV@LK-Perkele-VII2.locald>
References: <FC5270AF-509C-4331-AE8F-1F2D51BBC5F2@apple.com> <39E3B9FB-DD37-4D22-A35E-D50DAC512C69@apple.com> <84B0BBBB-6652-4442-88DF-0E3F3FEF5CEF@mnot.net> <202306260714.35Q7E4JR068513@critter.freebsd.dk>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <202306260714.35Q7E4JR068513@critter.freebsd.dk>
Sender: ilariliusvaara@welho.com
Received-SPF: pass client-ip=83.102.41.27; envelope-from=ilariliusvaara@welho.com; helo=welho-filter1.welho.com
X-W3C-Hub-Spam-Status: No, score=-3.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1qEmyy-005ZlO-BW 202ffbee4a5617532d3e48209691c01d
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Consensus call to include Display Strings in draft-ietf-httpbis-sfbis
Archived-At: <https://www.w3.org/mid/ZJ1ALI5LKxHb7BSV@LK-Perkele-VII2.locald>

On Mon, Jun 26, 2023 at 07:14:04AM +0000, Poul-Henning Kamp wrote:
> --------
> Mark Nottingham writes:
> 
> > I've merged that PR. If there are lingering issues -- either on Display
> > Strings or other parts of the spec -- now is a good time to file them,
> > as the issues list for this draft is currently empty.
> 
> I have opened an issue for the fact that
> 
> 	%"bla\"bla%22"
> 
> and
> 
> 	%"bla%22bla\""
> 
> are semantically identical.
> 
> IMO that is an invitation to smuggling attacks which there is no need
> at all to codify.

Normal SF strings do indeed have property that all legal encodings are
unique. Here it is not only encoding printable-range characters that
causes the encoding to fail to be unique, it is also case-insensitivity
of percent encoding.


There are some other issues with characters as well:

1) It allows all the 65 Cc characters, most of which do not do not have
any obvious meaning (causing highly non-interoperable behavior at best).
Despite being called display strings, so presumably intended for
display. And some of those characters might be quite dangerous if
dumped raw somewhere (security issues up to critical severity).

2) I think it should be specified that any direction change characters
MUST NOT affect any text surrounding the displayed string. At least
getting this wrong causes at most some screwed up text rendering.




-Ilari

v2.23.0 | Report a Bug | By Email