Re: p1: BWS

Amos Jeffries <squid3@treenet.co.nz> Thu, 18 April 2013 04:31 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4398021E80C0 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Apr 2013 21:31:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MyycP5HnILcx for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 17 Apr 2013 21:31:52 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 9B47B21E809E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 17 Apr 2013 21:31:52 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1USgUT-0006Zu-E9 for ietf-http-wg-dist@listhub.w3.org; Thu, 18 Apr 2013 04:30:33 +0000
Resent-Date: Thu, 18 Apr 2013 04:30:33 +0000
Resent-Message-Id: <E1USgUT-0006Zu-E9@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <squid3@treenet.co.nz>) id 1USgUQ-0006Z6-RC for ietf-http-wg@listhub.w3.org; Thu, 18 Apr 2013 04:30:30 +0000
Received: from ip-58-28-153-233.static-xdsl.xnet.co.nz ([58.28.153.233] helo=treenet.co.nz) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <squid3@treenet.co.nz>) id 1USgUP-0002Sa-Tv for ietf-http-wg@w3.org; Thu, 18 Apr 2013 04:30:30 +0000
Received: from [192.168.2.7] (103-9-43-128.flip.co.nz [103.9.43.128]) by treenet.co.nz (Postfix) with ESMTP id B83EBE711D for <ietf-http-wg@w3.org>; Thu, 18 Apr 2013 16:30:06 +1200 (NZST)
Message-ID: <516F76CB.20406@treenet.co.nz>
Date: Thu, 18 Apr 2013 16:30:03 +1200
From: Amos Jeffries <squid3@treenet.co.nz>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: ietf-http-wg@w3.org
References: <DB8598D0-7AD8-4A90-806B-E4C7B65118D7@mnot.net>
In-Reply-To: <DB8598D0-7AD8-4A90-806B-E4C7B65118D7@mnot.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=58.28.153.233; envelope-from=squid3@treenet.co.nz; helo=treenet.co.nz
X-W3C-Hub-Spam-Status: No, score=-3.0
X-W3C-Hub-Spam-Report: AWL=-3.018, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1USgUP-0002Sa-Tv cda891e5de88a6dd168ba9ba3693b8bd
X-Original-To: ietf-http-wg@w3.org
Subject: Re: p1: BWS
Archived-At: <http://www.w3.org/mid/516F76CB.20406@treenet.co.nz>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17324
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 18/04/2013 1:18 p.m., Mark Nottingham wrote:
> p1 3.2.3 says:
>
>>     BWS is used where the grammar allows optional whitespace, for
>>     historical reasons, but senders SHOULD NOT generate it in messages;
>>     recipients MUST accept such bad optional whitespace and remove it
>>     before interpreting the field value or forwarding the message
>>     downstream.
>    http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-22#section-3.2.3
>
> Throughout our specs, BWS is used at the end of header fields:
>       header-field   = field-name ":" OWS field-value BWS
>
> and in transfer-codings:
>       transfer-parameter = attribute BWS "=" BWS value
>
> and in Expect headers:
>    expectation  = expect-name [ BWS "=" BWS expect-value]
>                               *( OWS ";" [ OWS expect-param ] )
>    expect-param = expect-name [ BWS "=" BWS expect-value ]
>
> and, finally, in auth-params on challenges and credentials:
>    auth-param     = token BWS "=" BWS ( token / quoted-string )
>
> Is this whitespace really "bad" enough to MUST-require that intermediaries (including load balancers and other hardware!) remove it before forwarding the message?

For interoperability yes the whitespace is a bit problem. Its presence 
subtly breaks any implementations looking for tokens with the strict 
termination delimiter and also opens opportunities for problems related 
to WS padding headers on maliciously crafted messages.

Amos