#443: p1: whitespace in request-target

Mark Nottingham <mnot@mnot.net> Fri, 19 April 2013 11:49 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D25621F8976 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 19 Apr 2013 04:49:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.166
X-Spam-Level:
X-Spam-Status: No, score=-10.166 tagged_above=-999 required=5 tests=[AWL=0.433, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gJHmqFu+DERs for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 19 Apr 2013 04:49:20 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 49D6121F8960 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 19 Apr 2013 04:49:20 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UT9oR-0001IM-2Q for ietf-http-wg-dist@listhub.w3.org; Fri, 19 Apr 2013 11:49:07 +0000
Resent-Date: Fri, 19 Apr 2013 11:49:07 +0000
Resent-Message-Id: <E1UT9oR-0001IM-2Q@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1UT9oO-0001Hh-01 for ietf-http-wg@listhub.w3.org; Fri, 19 Apr 2013 11:49:04 +0000
Received: from mxout-07.mxes.net ([216.86.168.182]) by maggie.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1UT9oN-0007fj-29 for ietf-http-wg@w3.org; Fri, 19 Apr 2013 11:49:03 +0000
Received: from mnot-mini.mnot.net (unknown [118.209.210.200]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 0022C22E253; Fri, 19 Apr 2013 07:48:40 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <2183465A-F833-4701-A55C-EC105A36329E@mnot.net>
Date: Fri, 19 Apr 2013 21:48:38 +1000
Cc: Amos Jeffries <squid3@treenet.co.nz>, Roy Fielding <fielding@gbiv.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <34CDD726-CE88-47AC-8043-FF2991D50353@mnot.net>
References: <2183465A-F833-4701-A55C-EC105A36329E@mnot.net>
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
X-Mailer: Apple Mail (2.1503)
Received-SPF: pass client-ip=216.86.168.182; envelope-from=mnot@mnot.net; helo=mxout-07.mxes.net
X-W3C-Hub-Spam-Status: No, score=-3.4
X-W3C-Hub-Spam-Report: AWL=-3.360, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1UT9oN-0007fj-29 53df7f439296784f0bb9e6b51bc34402
X-Original-To: ietf-http-wg@w3.org
Subject: #443: p1: whitespace in request-target
Archived-At: <http://www.w3.org/mid/34CDD726-CE88-47AC-8043-FF2991D50353@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17363
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Tracking this as:
  http://trac.tools.ietf.org/wg/httpbis/trac/ticket/443


On 18/04/2013, at 10:49 AM, Mark Nottingham <mnot@mnot.net> wrote:

> p1 3.1.1 says:
> 
>> Unfortunately, some user agents fail to properly encode hypertext references that have embedded whitespace, sending the characters directly instead of properly encoding or excluding the disallowed characters. Recipients of an invalid request-line SHOULD respond with either a 400 (Bad Request) error or a 301 (Moved Permanently) redirect with the request-target properly encoded. Recipients SHOULD NOT attempt to autocorrect and then process the request without a redirect, since the invalid request-line might be deliberately crafted to bypass security filters along the request chain.
> 
>  http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-22#section-3.1.1
> 
> I note that the practice of correcting this is fairly widespread; e.g., in Squid, the default is to strip the whitespace, and IIRC has been for some time:
> 
>  http://www.squid-cache.org/Doc/config/uri_whitespace/
> 
> I think that the Squid documentation needs to be corrected, because the text in RFC2396 (and later in 3986) is about URIs in contexts like books, e-mail and so forth, not protocol elements:
> 
>  http://tools.ietf.org/html/rfc3986#appendix-C
> 
> My question is why this is a SHOULD / SHOULD NOT. We say that SHOULD-level requirements affect conformance unless there's a documented exception here:
> 
>  http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-22#section-2.5
> 
> ... but these requirements don't mention any exceptions. Is the security risk here high enough to justify a MUST / MUST NOT? If not, they probably need to be downgraded to ought (or an exception needs to be highlighted).
> 
> Cheers,
> 
> 
> --
> Mark Nottingham   http://www.mnot.net/
> 
> 
> 
> 

--
Mark Nottingham   http://www.mnot.net/