IETF Logo Mail Archive

Re: #409: is parsing OBS-FOLD mandatory?

Willy Tarreau <w@1wt.eu> Wed, 12 December 2012 06:59 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8868E21F8887 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 11 Dec 2012 22:59:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.35
X-Spam-Level:
X-Spam-Status: No, score=-10.35 tagged_above=-999 required=5 tests=[AWL=0.249, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cwXDX3a+yx+4 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 11 Dec 2012 22:59:44 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id A949921F885B for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 11 Dec 2012 22:59:44 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1TigGx-0007Sm-Fh for ietf-http-wg-dist@listhub.w3.org; Wed, 12 Dec 2012 06:58:27 +0000
Resent-Date: Wed, 12 Dec 2012 06:58:27 +0000
Resent-Message-Id: <E1TigGx-0007Sm-Fh@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1TigGr-0007Qk-Rr for ietf-http-wg@listhub.w3.org; Wed, 12 Dec 2012 06:58:21 +0000
Received: from 1wt.eu ([62.212.114.60]) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1TigGb-00016g-JD for ietf-http-wg@w3.org; Wed, 12 Dec 2012 06:58:16 +0000
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id qBC6vXIc017163; Wed, 12 Dec 2012 07:57:33 +0100
Date: Wed, 12 Dec 2012 07:57:33 +0100
From: Willy Tarreau <w@1wt.eu>
To: Mark Nottingham <mnot@mnot.net>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, Roy Fielding <fielding@gbiv.com>
Message-ID: <20121212065733.GG14722@1wt.eu>
References: <12F24972-5720-40B7-BF17-3A1955752199@mnot.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <12F24972-5720-40B7-BF17-3A1955752199@mnot.net>
User-Agent: Mutt/1.4.2.3i
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-3.1
X-W3C-Hub-Spam-Report: AWL=-3.048, RP_MATCHES_RCVD=-0.024, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1TigGb-00016g-JD 40a1076ef6b5ef536dec4d2b39b75abf
X-Original-To: ietf-http-wg@w3.org
Subject: Re: #409: is parsing OBS-FOLD mandatory?
Archived-At: <http://www.w3.org/mid/20121212065733.GG14722@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/15767
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi Mark,

On Wed, Dec 12, 2012 at 02:48:55PM +1100, Mark Nottingham wrote:
> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/409>
> 
> """
> p1 2.5 Conformance and Error Handling says "...recipient MUST be able to parse any value that would match the ABNF rules..." yet 3.2.2 only make parsing obs-fold a SHOULD. Which is it?
> """
> 
> Roy made a proposed edit to remove the MUST NOT generate and change the SHOULD parse to a MUST parse.
>   <http://trac.tools.ietf.org/wg/httpbis/trac/changeset/2039>
> 
> However, this has the effect of un-deprecating line folding; IIRC we added
> those requirements because folding is not interoperable. 
> 
> My suggestion would be to change:
> 
> """
> If a received protocol element is processed, the recipient must be able to
> parse any value that would match the ABNF rules for that protocol element,
> excluding only those rules not applicable to the recipient's role.
> """
> 
> to:
> 
> """
> If a received protocol element is processed, the recipient MUST be able to
> parse any value that would match the ABNF rules for that protocol element,
> excluding only those rules not applicable to the recipient's role, and those
> rules whose names begin with "obs-" (e.g., obs-fold).
> """

I think we may improve the situation a little bit by indicating that
recipients must *detect* these obs-* rules even if they decide to reject
them because they can't parse them. The main issue I'm seeing with relaxing
parsing too much is the risk of seeing some smuggling attacks due to lazy
implementations that claim to be mostly compliant since they're not forced
to support line folding. We've already seen implementations which accept
spaces in header field names for example. I'm a bit worried about what the
following request would cause :

     POST /foo HTTP/1.1
     Host: foo
     Content-length: 8
     X-Dummy: yes
        Transfer-encoding: chunked

     ffffffff
     POST /unfiltered HTTP/1.1
     Host: foo
     Content-length: 100

     dangerous args

If a lazy implementation decides that the "   Transfer-Encoding" field
above is just "Transfer-Encoding", it might very well skip over the whole
4GB chunk, while for another implementation it would be the continuation
of X-Dummy.

So what do you think about the following change on top of yours :

 """
 If a received protocol element is processed, the recipient MUST be able to
 parse any value that would match the ABNF rules for that protocol element,
 excluding only those rules not applicable to the recipient's role, and those
 rules whose names begin with "obs-" (e.g., obs-fold). However, the recipient
 MUST be able to detect the rules it cannot parse and MUST reject such
 messages.
 """

Willy

v2.23.0 | Report a Bug | By Email