IETF Logo Mail Archive

Re: [Technical Errata Reported] RFC7230 (5964)

Mark Nottingham <mnot@mnot.net> Thu, 23 January 2020 22:05 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 669DA120077 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 23 Jan 2020 14:05:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.751
X-Spam-Level:
X-Spam-Status: No, score=-2.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=g2Y/tKFb; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=dAgC8Pm6
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LV2b3yGVQO2l for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 23 Jan 2020 14:05:10 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3231612011C for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 23 Jan 2020 14:05:10 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1iukYT-0005wH-KD for ietf-http-wg-dist@listhub.w3.org; Thu, 23 Jan 2020 22:02:25 +0000
Resent-Date: Thu, 23 Jan 2020 22:02:25 +0000
Resent-Message-Id: <E1iukYT-0005wH-KD@frink.w3.org>
Received: from mimas.w3.org ([2603:400a:ffff:804:801e:34:0:4f]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <mnot@mnot.net>) id 1iukYR-0005vV-V0 for ietf-http-wg@listhub.w3.org; Thu, 23 Jan 2020 22:02:23 +0000
Received: from wout4-smtp.messagingengine.com ([64.147.123.20]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mnot@mnot.net>) id 1iukYK-0003Z6-Hq for ietf-http-wg@w3.org; Thu, 23 Jan 2020 22:02:23 +0000
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 1D989611; Thu, 23 Jan 2020 17:02:12 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Thu, 23 Jan 2020 17:02:12 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm1; bh=o 48iuZliQ+22/uzE1t8JgSufgQeIdWylT9e6z+ghiJI=; b=g2Y/tKFbWu4cTAyAs np1i+rLKmGVABxpJuXyLS+B1omzeIWdQfv1VgEVB7cLJygnTu/o+dYtrMEsquyz/ jaZuemnJaZwVlsRrpBhy5HfUiBD3U0Ef5DeQfo5497bFBDUx8MGMeL4/aY7BFxeN Fa4b0fHZUV5qUYbwQOnWHI7NmH9nRBJIOtE6B2w6QBrBr3ENf7EaweYLsbWrOHqi pF+6x1+ZZaMfnrWOeJQLb/c34XbJQ8zvaptA3AiWHuoujktElsOsEk6ZfdKo4lVg GwA0GdRMpudkOdyqSOdN5DwzS8wYWzq0pPWxn8T7pYTzKB6+1LvUy0ljAOMb1Kse sv2LA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=o48iuZliQ+22/uzE1t8JgSufgQeIdWylT9e6z+ghi JI=; b=dAgC8Pm6evHCZdrUsZ2H/MJ1QDLzgs++VJbFlZ0Yf0/GXfguB5CiRHBkp 5MKe+opED7bh7JarW3ZOHSuT+6Z7xuBpqbX+nJOI+ImeEf7J+Mf/bhID3WjlThFW CGcSDg4J/Zt1rMnwC2kHiaQU9QZTOiq81MHGdFDeuf3xkbZFhE7fhyrHtXN8UGOa szgabB6rZ86XpHw0EnKV0NuDBUIiE3pzt3kNRGNwCrcLBD46Vwv6L/VAF8vh32Bj JgChXspW19FHA1uHj4U1GNRi+TaH+eYZZDPVuOnZXLswYpWIuFcTBRjz00GUxlBe H3xLqHuLvst18FTzsGVzPNYaNGj6A==
X-ME-Sender: <xms:4BcqXsEIQasa5eais6TnPrajVRsa8y_7Pn53MXaeKp4lcQOsBHVUnQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedrvddvgdeliecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpegtggfuhfgjfffgkfhfvffosehtqhhmtdhhtddvnecuhfhrohhmpeforghrkhcu pfhothhtihhnghhhrghmuceomhhnohhtsehmnhhothdrnhgvtheqnecuffhomhgrihhnpe hgihhthhhusgdrtghomhdpudhmvghsshgrghgvshihnhhtrgigrghnughrohhuthhinhhg rddqqddqqddqqddqqddqqddqqddqqddqqddqqddqqddqqddqqddqqddqqddqqddqqddqqd dqqddqqdihohhupdhrfhgtqdgvughithhorhdrohhrghdpmhhnohhtrdhnvghtnecukfhp peduudelrddujedrudehkedrvdehudenucevlhhushhtvghrufhiiigvpedtnecurfgrrh grmhepmhgrihhlfhhrohhmpehmnhhothesmhhnohhtrdhnvght
X-ME-Proxy: <xmx:4BcqXt9jyL8t_eIndyryHMVOGTLJAUN9fyQm-acD8EZd578j2Dv39Q> <xmx:4BcqXtmyhRwEANFBRsY467daoZn4Xy9TuxGfZU3G_dJK_EqbzMyuOg> <xmx:4BcqXoA3cyGcSnXf7V2CpaZQ1UyrGfoGcAVWrxFF2hKeJ1ElRYuCtA> <xmx:4xcqXsw5c7yt1_ZriBvxLe-XGCW72_N3ferPNZVF_Z-BkbNDjZ90fw>
Received: from macbook-pro.mnot.net (unknown [119.17.158.251]) by mail.messagingengine.com (Postfix) with ESMTPA id B76E73280060; Thu, 23 Jan 2020 17:02:05 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <20200123155840.241DDF406CD@rfc-editor.org>
Date: Fri, 24 Jan 2020 09:02:02 +1100
Cc: Roy Fielding <fielding@gbiv.com>, "Julian F. Reschke" <julian.reschke@greenbytes.de>, ben@nostrum.com, aamelnikov@fastmail.fm, adam@nostrum.com, tpauly@apple.com, rick@openfortress.nl, ietf-http-wg@w3.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <FF06904B-55AC-46C6-A20B-68FF435C98DC@mnot.net>
References: <20200123155840.241DDF406CD@rfc-editor.org>
To: RFC Errata System <rfc-editor@rfc-editor.org>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Received-SPF: pass client-ip=64.147.123.20; envelope-from=mnot@mnot.net; helo=wout4-smtp.messagingengine.com
X-W3C-Hub-Spam-Status: No, score=-6.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1iukYK-0003Z6-Hq 21135b0380e87c1622a4991982f9234d
X-Original-To: ietf-http-wg@w3.org
Subject: Re: [Technical Errata Reported] RFC7230 (5964)
Archived-At: <https://www.w3.org/mid/FF06904B-55AC-46C6-A20B-68FF435C98DC@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37271
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Rick,

This is better filed as an issue on the HTTP core revisions [1] than as an erratum.

Recommending REJECT.

Cheers,

1. https://github.com/httpwg/http-core#draft-http-core-documents


> On 24 Jan 2020, at 2:58 am, RFC Errata System <rfc-editor@rfc-editor.org> wrote:
> 
> The following errata report has been submitted for RFC7230,
> "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing".
> 
> --------------------------------------
> You may review the report below and at:
> https://www.rfc-editor.org/errata/eid5964
> 
> --------------------------------------
> Type: Technical
> Reported by: Rick van Rein <rick@openfortress.nl>
> 
> Section: 2.7.1
> 
> Original Text
> -------------
>   The URI generic syntax for authority also includes a deprecated
>   userinfo subcomponent ([RFC3986], Section 3.2.1) for including user
>   authentication information in the URI.  Some implementations make use
>   of the userinfo component for internal configuration of
>   authentication information, such as within command invocation
>   options, configuration files, or bookmark lists, even though such
>   usage might expose a user identifier or password.  A sender MUST NOT
>   generate the userinfo subcomponent (and its "@" delimiter) when an
>   "http" URI reference is generated within a message as a request
>   target or header field value.  Before making use of an "http" URI
>   reference received from an untrusted source, a recipient SHOULD parse
>   for userinfo and treat its presence as an error; it is likely being
>   used to obscure the authority for the sake of phishing attacks.
> 
> 
> Corrected Text
> --------------
>   The URI generic syntax for authority also includes a
>   userinfo subcomponent in which the format "user:password" is deprecated
>   ([RFC3986], Section 3.2.1).  The user is permitted, but the password
>   is not.  Some implementations make use
>   of the userinfo component for internal configuration of
>   authentication information, such as within command invocation
>   options, configuration files, or bookmark lists, even though such
>   usage might expose a user identifier or password.  A sender MUST NOT
>   generate a colon in a userinfo subcomponent when an
>   "http" URI reference is generated within a message as a request
>   target or header field value, but it may prefix a user and an "@" delimiter
>   before the host name in an "http" URI.  Before making use of an "http" URI
>   reference received from an untrusted source, a recipient SHOULD parse
>   for userinfo and treat the presence of a colon in it as an error.
> 
> 
> Notes
> -----
> RFC3986 does not forbid or even discourage the "user" in the userinfo subcomponent.  It only says
> 
>   Use of the format "user:password" in the userinfo field is
>   deprecated.
> 
> and continues to describe ":password" handling.
> 
> Obscuring the authority for the purposes of phishing is not mitigated by parsing the userinfo; subdomains in DNS offer similar notational flexibility.  Parsing does help against misleading password popups.
> 
> The user is part of the authority section of the URI and its purpose is to zoom in on a scope for authoritative resource addressing.  This syntax has in the past been (ab)used for Basic/Digest authentication details, which only works if visitor and visited resource happen to be the same user; it is this (ab)use that is now deprecated.
> 
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party  
> can log in to change the status and edit the report, if necessary. 
> 
> --------------------------------------
> RFC7230 (draft-ietf-httpbis-p1-messaging-26)
> --------------------------------------
> Title               : Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
> Publication Date    : June 2014
> Author(s)           : R. Fielding, Ed., J. Reschke, Ed.
> Category            : PROPOSED STANDARD
> Source              : Hypertext Transfer Protocol Bis APP
> Area                : Applications
> Stream              : IETF
> Verifying Party     : IESG

--
Mark Nottingham   https://www.mnot.net/

v2.23.0 | Report a Bug | By Email