Re: #409: is parsing OBS-FOLD mandatory?
Willy Tarreau <w@1wt.eu> Wed, 12 December 2012 06:59 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8868E21F8887 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 11 Dec 2012 22:59:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.35
X-Spam-Level:
X-Spam-Status: No, score=-10.35 tagged_above=-999 required=5 tests=[AWL=0.249, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cwXDX3a+yx+4 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 11 Dec 2012 22:59:44 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id A949921F885B for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 11 Dec 2012 22:59:44 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1TigGx-0007Sm-Fh for ietf-http-wg-dist@listhub.w3.org; Wed, 12 Dec 2012 06:58:27 +0000
Resent-Date: Wed, 12 Dec 2012 06:58:27 +0000
Resent-Message-Id: <E1TigGx-0007Sm-Fh@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1TigGr-0007Qk-Rr for ietf-http-wg@listhub.w3.org; Wed, 12 Dec 2012 06:58:21 +0000
Received: from 1wt.eu ([62.212.114.60]) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1TigGb-00016g-JD for ietf-http-wg@w3.org; Wed, 12 Dec 2012 06:58:16 +0000
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id qBC6vXIc017163; Wed, 12 Dec 2012 07:57:33 +0100
Date: Wed, 12 Dec 2012 07:57:33 +0100
From: Willy Tarreau <w@1wt.eu>
To: Mark Nottingham <mnot@mnot.net>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, Roy Fielding <fielding@gbiv.com>
Message-ID: <20121212065733.GG14722@1wt.eu>
References: <12F24972-5720-40B7-BF17-3A1955752199@mnot.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <12F24972-5720-40B7-BF17-3A1955752199@mnot.net>
User-Agent: Mutt/1.4.2.3i
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-3.1
X-W3C-Hub-Spam-Report: AWL=-3.048, RP_MATCHES_RCVD=-0.024, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1TigGb-00016g-JD 40a1076ef6b5ef536dec4d2b39b75abf
X-Original-To: ietf-http-wg@w3.org
Subject: Re: #409: is parsing OBS-FOLD mandatory?
Archived-At: <http://www.w3.org/mid/20121212065733.GG14722@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/15767
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi Mark, On Wed, Dec 12, 2012 at 02:48:55PM +1100, Mark Nottingham wrote: > <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/409> > > """ > p1 2.5 Conformance and Error Handling says "...recipient MUST be able to parse any value that would match the ABNF rules..." yet 3.2.2 only make parsing obs-fold a SHOULD. Which is it? > """ > > Roy made a proposed edit to remove the MUST NOT generate and change the SHOULD parse to a MUST parse. > <http://trac.tools.ietf.org/wg/httpbis/trac/changeset/2039> > > However, this has the effect of un-deprecating line folding; IIRC we added > those requirements because folding is not interoperable. > > My suggestion would be to change: > > """ > If a received protocol element is processed, the recipient must be able to > parse any value that would match the ABNF rules for that protocol element, > excluding only those rules not applicable to the recipient's role. > """ > > to: > > """ > If a received protocol element is processed, the recipient MUST be able to > parse any value that would match the ABNF rules for that protocol element, > excluding only those rules not applicable to the recipient's role, and those > rules whose names begin with "obs-" (e.g., obs-fold). > """ I think we may improve the situation a little bit by indicating that recipients must *detect* these obs-* rules even if they decide to reject them because they can't parse them. The main issue I'm seeing with relaxing parsing too much is the risk of seeing some smuggling attacks due to lazy implementations that claim to be mostly compliant since they're not forced to support line folding. We've already seen implementations which accept spaces in header field names for example. I'm a bit worried about what the following request would cause : POST /foo HTTP/1.1 Host: foo Content-length: 8 X-Dummy: yes Transfer-encoding: chunked ffffffff POST /unfiltered HTTP/1.1 Host: foo Content-length: 100 dangerous args If a lazy implementation decides that the " Transfer-Encoding" field above is just "Transfer-Encoding", it might very well skip over the whole 4GB chunk, while for another implementation it would be the continuation of X-Dummy. So what do you think about the following change on top of yours : """ If a received protocol element is processed, the recipient MUST be able to parse any value that would match the ABNF rules for that protocol element, excluding only those rules not applicable to the recipient's role, and those rules whose names begin with "obs-" (e.g., obs-fold). However, the recipient MUST be able to detect the rules it cannot parse and MUST reject such messages. """ Willy
- #409: is parsing OBS-FOLD mandatory? Mark Nottingham
- Re: #409: is parsing OBS-FOLD mandatory? Amos Jeffries
- Re: #409: is parsing OBS-FOLD mandatory? Willy Tarreau
- Re: #409: is parsing OBS-FOLD mandatory? Roy T. Fielding
- Re: #409: is parsing OBS-FOLD mandatory? Willy Tarreau
- Re: #409: is parsing OBS-FOLD mandatory? Amos Jeffries
- Re: #409: is parsing OBS-FOLD mandatory? Mark Nottingham
- Re: #409: is parsing OBS-FOLD mandatory? Mark Nottingham
- Re: #409: is parsing OBS-FOLD mandatory? Willy Tarreau
- Re: #409: is parsing OBS-FOLD mandatory? Mark Nottingham
- Re: #409: is parsing OBS-FOLD mandatory? Willy Tarreau
- Re: #409: is parsing OBS-FOLD mandatory? Mark Nottingham
- Re: #409: is parsing OBS-FOLD mandatory? Mark Nottingham
- Re: #409: is parsing OBS-FOLD mandatory? Willy Tarreau
- Re: #409: is parsing OBS-FOLD mandatory? Mark Nottingham
- Re: #409: is parsing OBS-FOLD mandatory? Willy Tarreau