IETF Logo Mail Archive

Re: p1: whitespace in request-target

Mark Nottingham <mnot@mnot.net> Tue, 30 April 2013 03:20 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5C3521F9C1C for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 29 Apr 2013 20:20:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.054
X-Spam-Level:
X-Spam-Status: No, score=-10.054 tagged_above=-999 required=5 tests=[AWL=0.545, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hjSN8teUAm3Q for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 29 Apr 2013 20:20:26 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 1E87721F9B6A for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 29 Apr 2013 20:20:26 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UX16C-0002wy-Sl for ietf-http-wg-dist@listhub.w3.org; Tue, 30 Apr 2013 03:19:24 +0000
Resent-Date: Tue, 30 Apr 2013 03:19:24 +0000
Resent-Message-Id: <E1UX16C-0002wy-Sl@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1UX163-0002vp-FJ for ietf-http-wg@listhub.w3.org; Tue, 30 Apr 2013 03:19:15 +0000
Received: from mxout-08.mxes.net ([216.86.168.183]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1UX15z-0004Oi-VF for ietf-http-wg@w3.org; Tue, 30 Apr 2013 03:19:15 +0000
Received: from mnot-mini.mnot.net (unknown [118.209.190.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id D8C5B509B8; Mon, 29 Apr 2013 23:18:47 -0400 (EDT)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <516F6CF9.30709@treenet.co.nz>
Date: Tue, 30 Apr 2013 13:18:43 +1000
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <84716645-4097-4014-BB4A-3A8C5BF5DD4E@mnot.net>
References: <2183465A-F833-4701-A55C-EC105A36329E@mnot.net> <516F6CF9.30709@treenet.co.nz>
To: Amos Jeffries <squid3@treenet.co.nz>
X-Mailer: Apple Mail (2.1503)
Received-SPF: pass client-ip=216.86.168.183; envelope-from=mnot@mnot.net; helo=mxout-08.mxes.net
X-W3C-Hub-Spam-Status: No, score=-4.3
X-W3C-Hub-Spam-Report: AWL=-2.382, BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UX15z-0004Oi-VF 30f93f8deffaf567db24612e98f71f29
X-Original-To: ietf-http-wg@w3.org
Subject: Re: p1: whitespace in request-target
Archived-At: <http://www.w3.org/mid/84716645-4097-4014-BB4A-3A8C5BF5DD4E@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17707
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

So, I'm not hearing you say "don't make this a MUST" -- just noting that some broken software out there; correct?


On 18/04/2013, at 1:48 PM, Amos Jeffries <squid3@treenet.co.nz> wrote:

> On 18/04/2013 12:49 p.m., Mark Nottingham wrote:
>> p1 3.1.1 says:
>> 
>>> Unfortunately, some user agents fail to properly encode hypertext references that have embedded whitespace, sending the characters directly instead of properly encoding or excluding the disallowed characters. Recipients of an invalid request-line SHOULD respond with either a 400 (Bad Request) error or a 301 (Moved Permanently) redirect with the request-target properly encoded. Recipients SHOULD NOT attempt to autocorrect and then process the request without a redirect, since the invalid request-line might be deliberately crafted to bypass security filters along the request chain.
>>   http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-22#section-3.1.1
>> 
>> I note that the practice of correcting this is fairly widespread; e.g., in Squid, the default is to strip the whitespace, and IIRC has been for some time:
>> 
>>   http://www.squid-cache.org/Doc/config/uri_whitespace/
>> 
>> I think that the Squid documentation needs to be corrected, because the text in RFC2396 (and later in 3986) is about URIs in contexts like books, e-mail and so forth, not protocol elements:
>> 
>>   http://tools.ietf.org/html/rfc3986#appendix-C
> 
> The relevant portion there being:
> "
> 
>   For robustness, software that accepts user-typed URI should attempt
>   to recognize and strip both delimiters and embedded whitespace.
> "
> Note that Squid *does* accept user-typed HTTP messages and the software traditionally causing whitespace issues
> are usually the specialized clients sending URI through HTTP-compatible messages in the URL field (Outlook and Exchange with RCP, some shockwave ICY clients).
> 
>> My question is why this is a SHOULD / SHOULD NOT. We say that SHOULD-level requirements affect conformance unless there's a documented exception here:
>> 
>>   http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-22#section-2.5
>> 
>> ... but these requirements don't mention any exceptions. Is the security risk here high enough to justify a MUST / MUST NOT? If not, they probably need to be downgraded to ought (or an exception needs to be highlighted).
> 
> The biggest risk is software truncating portions of the URL, or (like Squid when there is a trailing SP on the line) determining that the HTTP/1 version label is part of the URL on a HTTP/0.9 syntax GET request - which results in any HTTP/1.x header features being ignored. The actual security worst-case risk of this undeterminable, but its not going to be good for the transaction at the best of times.
> 
> Amos
> 

--
Mark Nottingham   http://www.mnot.net/

v2.23.0 | Report a Bug | By Email