[Technical Errata Reported] RFC7231 (6354)
RFC Errata System <rfc-editor@rfc-editor.org> Thu, 10 December 2020 19:12 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B2C63A11E9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 10 Dec 2020 11:12:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.671
X-Spam-Level:
X-Spam-Status: No, score=-2.671 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id krBVxokKz45B for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 10 Dec 2020 11:12:19 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D9913A11F0 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 10 Dec 2020 11:12:18 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1knRJg-0007Wm-Jm for ietf-http-wg-dist@listhub.w3.org; Thu, 10 Dec 2020 19:09:28 +0000
Resent-Date: Thu, 10 Dec 2020 19:09:28 +0000
Resent-Message-Id: <E1knRJg-0007Wm-Jm@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <wwwrun@rfc-editor.org>) id 1knRJe-0007W9-06 for ietf-http-wg@listhub.w3.org; Thu, 10 Dec 2020 19:09:26 +0000
Received: from rfc-editor.org ([4.31.198.49]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <wwwrun@rfc-editor.org>) id 1knRJb-0001IB-W3 for ietf-http-wg@w3.org; Thu, 10 Dec 2020 19:09:25 +0000
Received: by rfc-editor.org (Postfix, from userid 30) id 56C41F4073A; Thu, 10 Dec 2020 11:09:00 -0800 (PST)
To: fielding@gbiv.com, julian.reschke@greenbytes.de, superuser@gmail.com, barryleiba@computer.org, mnot@mnot.net, tpauly@apple.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: psturge@honeycomb.co.uk, ietf-http-wg@w3.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20201210190900.56C41F4073A@rfc-editor.org>
Date: Thu, 10 Dec 2020 11:09:00 -0800
Received-SPF: pass client-ip=4.31.198.49; envelope-from=wwwrun@rfc-editor.org; helo=rfc-editor.org
X-W3C-Hub-Spam-Status: No, score=-10.2
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1knRJb-0001IB-W3 5c625ea54f830b6be98b2856cafbf65e
X-Original-To: ietf-http-wg@w3.org
Subject: [Technical Errata Reported] RFC7231 (6354)
Archived-At: <https://www.w3.org/mid/20201210190900.56C41F4073A@rfc-editor.org>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38291
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
The following errata report has been submitted for RFC7231, "Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid6354 -------------------------------------- Type: Technical Reported by: Peter Sturge <psturge@honeycomb.co.uk> Section: 7.1.2. Original Text ------------- The field value consists of a single URI-reference. When it has the form of a relative reference ([RFC3986], Section 4.2), the final value is computed by resolving it against the effective request URI ([RFC3986], Section 5). For 201 (Created) responses, the Location value refers to the primary resource created by the request. For 3xx (Redirection) responses, the Location value refers to the preferred target resource for automatically redirecting the request. If the Location value provided in a 3xx (Redirection) response does not have a fragment component, a user agent MUST process the redirection as if the value inherits the fragment component of the URI reference used to generate the request target (i.e., the redirection inherits the original reference's fragment, if any). For example, a GET request generated for the URI reference "http://www.example.org/~tim" might result in a 303 (See Other) response containing the header field: Location: /People.html#tim which suggests that the user agent redirect to "http://www.example.org/People.html#tim" Corrected Text -------------- The field value consists of a single URI-reference. Relative forms are not allowed and MUST include the entire redirected URI, even if the base URL part has not changed. Notes ----- Relative URIs in Location redirect headers should not be allowed. Allowing relative URIs opens up, at best, inconsistent and poor implementations and interpretations, but more importantly it opens serious security holes. For example, when the redirect emanates from a URL shortening service (e.g. bitly.com), an attacker can 'chain' multiple relative shortened URIs, effectively obfuscating the final and malicious site. If security tools attempt to 'rebuild and resolve', this will have an impact on performance, and itself can be exploited by attackers by creating a circular redirect (this can of course be done with full URIs as well, but then a security monitoring tool can more easily detect such a scenario). Yes, one would expect security tools to only redirect to a small maximum count (say 3), but in a Denial-of-Service attack, many of these can render a security monitoring tool impotent to other attacks happening in parallel. In addition, unless *all* User-Agents (and there are a lot of them out there) interpret the relative URL absolutely consistently, this can lead to incorrect navigation at best, and such inconsistencies can be easily exploited by attackers at worst. All in all, at a time when the industry is trying to make internet operations safer and more secure, allowing relative URLs does the opposite, and with little to no gain by allowing. Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC7231 (draft-ietf-httpbis-p2-semantics-26) -------------------------------------- Title : Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content Publication Date : June 2014 Author(s) : R. Fielding, Ed., J. Reschke, Ed. Category : PROPOSED STANDARD Source : Hypertext Transfer Protocol Bis APP Area : Applications Stream : IETF Verifying Party : IESG
- [Technical Errata Reported] RFC7231 (6354) RFC Errata System
- Re: [Technical Errata Reported] RFC7231 (6354) Julian Reschke