Re: HTTP request validation guidelines for implementers
Julian Reschke <julian.reschke@gmx.de> Fri, 09 July 2021 18:48 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94CEE3A2B01 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 9 Jul 2021 11:48:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.989
X-Spam-Level:
X-Spam-Status: No, score=-2.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.248, MAILING_LIST_MULTI=-1, NICE_REPLY_A=-0.338, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OzgO6XIzFC3y for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 9 Jul 2021 11:48:29 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5FC23A2B00 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 9 Jul 2021 11:48:28 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1m1vVZ-0004VR-5P for ietf-http-wg-dist@listhub.w3.org; Fri, 09 Jul 2021 18:45:54 +0000
Resent-Date: Fri, 09 Jul 2021 18:45:53 +0000
Resent-Message-Id: <E1m1vVZ-0004VR-5P@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <julian.reschke@gmx.de>) id 1m1vVW-0004Uf-DD for ietf-http-wg@listhub.w3.org; Fri, 09 Jul 2021 18:45:51 +0000
Received: from mout.gmx.net ([212.227.15.15]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <julian.reschke@gmx.de>) id 1m1vVO-00075S-7n for ietf-http-wg@w3.org; Fri, 09 Jul 2021 18:45:45 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1625856329; bh=nA/K7NnnikulpL2i9ZcApembh7vxppQYBBtd8VyHaCM=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=C2sg8wrv6S0AZbtYH2k2FR8klFy6vBhFVKGhMKiaOVPhAG744IhRKKL7PFVCJAwSn k7+X76bG2U/McPCwjCzJlwp+4sTwJEdULZGnJx0JxFMT54xKa2SnXwwE+lwvrzyvlq i1w24FBNyDSd5FWxBzAz4TU/eg7aFN6sj/w5x6JE=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.178.20] ([91.61.59.112]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MNbp3-1lnOcs2mZn-00P2Fy for <ietf-http-wg@w3.org>; Fri, 09 Jul 2021 20:45:29 +0200
To: ietf-http-wg@w3.org
References: <FG0pbGeOrYyTy9Qq7QgDZtZWHwKpohi9eXVW-dkD1lFwkFM3Sqx2T1Wjv8zDZmPusf1EZ0XtKE5XVaFa-DPrM09yy0hIogQjI_MUI6L4Jdk=@penteado.me> <de67ac60-b09b-3bec-e7b2-2bdbe94254ac@ztk-rp.eu> <emoCRk-FQF5chLVc_HHoxKtaU_OD2hjrWv1aA628SP0JvUtfsX3Z9Dymw1FdMnDMwYe4FU-dYq5jP3URnqKZVvUgQ-1t5zep9zztm-pMD3Y=@penteado.me>
From: Julian Reschke <julian.reschke@gmx.de>
Message-ID: <d0f5c770-4b43-b96f-28c0-318d0795e345@gmx.de>
Date: Fri, 09 Jul 2021 20:45:29 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <emoCRk-FQF5chLVc_HHoxKtaU_OD2hjrWv1aA628SP0JvUtfsX3Z9Dymw1FdMnDMwYe4FU-dYq5jP3URnqKZVvUgQ-1t5zep9zztm-pMD3Y=@penteado.me>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:B6MVmWHUGx1RHJQcHjcMhF0BN4gja+6/Ry8sNACl1RloAhut7FE FtxoNEcYRm5O9kBkptLoD/bHcwiJZNP3kamQblrbjOLuqLSVMphlOe9zjf5mLhRtrVWqkOv 0ljMhyQO3nvIAwMFawbmQbpmHICdswB20mZhSIIhPKBvvpkI2PyRntoYKr1MzehAHpwtSgn x0F2esN/IPPT/ObNCwDyA==
X-UI-Out-Filterresults: notjunk:1;V03:K0:ybTx+X/tJLU=:aXaKLWdSzHujmXCUeY1T5C Zh/DLbnCyRltokLHxXVnQAiVOEBAOIzP5V0W+junHmkoPChjCyFFmKYxVjqgQMWwdctJ496xd r8tGdDIjs4Mhn0l1/V4zJc3IPGw6IFFzysApdEvTeRDD4T/tKvgsm6ndOdFksuQjLu/nAkqcq MH70yXGATlYuw4y1mmTJxOyUxiAYCvLj7ddL1xRahNKhpHNn4Urtc4bfSH1l4m660EkfhEJWi 2JRplfyeidMwcaH3Tz+WX+FmNTzU8F+T2bpmZPGjfHFbNVl39khrkDLO9zutYKdoVB42tIGD3 owVpu6FV7xmEQFmlazoejzes/Ftb+DyLPdTxltZ/GgUCeciMBoMjfNUyXP/9pQHAuyoB8ROHu l+kcI7Klnnmi+Evrr5DOA6EPuQt3eAQeaNRtUlHVShgEdcJ7BBNECz6DcIblE1UUQYux5ToYL 12a+yoTTrUyBLRqY0yKZ2KnM/oAds3YjehPWYV9fuiYophVRGBcNbII8TKcCrnKA1ZsZ+9rtd qShn/Z1qguy5S+L+B2LDXLCOpPBWNLoWhQA6K3QS9Fkh7MKElV0mX58twWScUKDeNcpTw1nbN Pwh2VSbicXnjEhh7uqbcpR5EHS7R2LJvF5Sq3hWGXnluEKyWTj0beO1fFyIAkBqK9Q6TPtnJM KZ2EisDsBy8xMqfOUdD0Sf1fOl/Ie+nMAdE+8wV9MVnJMIa32gFM9TZbuy1Kmll7FHyvvXpgy TIv5RrUfpfiJ8Ck4eOK04kMPrz3xUkwL/jj6s+s8lNIsi8jrxvq2JYBr7lLzUnIvq30Vk9o8e zrLVCh6MnbWxM//OrvIRhihqvazz9wZza+YpKCZGPJ2mSYDb34YMx1F/ebRXif4MThCHmpgbK 9u++ek7FSPplhXQfolhMQBz4aXtwXyp3lmwTxd5G1F+fNxdoF6XBItSysrQO7YIE/xS8Um8Zp kbiy9+1jykJvveeeHm2oq7if8/47k6djVtCubtTma3PAle7ZZ0bvZ2AvlRGNcJw6x8WAYLWrv /YcaYx5y5TTRMyUlR6HCSBngKC0k0DZuan2rKNLH/coIcKDWCerbLuYPq+V22h5yOi6PSbYmb KLtIMSF4Wtj62nVW3HwTARSah4cI4Mqyc3BBCYqat6B6N0WQfu6US3QTw==
Received-SPF: pass client-ip=212.227.15.15; envelope-from=julian.reschke@gmx.de; helo=mout.gmx.net
X-W3C-Hub-DKIM-Status: validation passed: (address=julian.reschke@gmx.de domain=gmx.net), signature is good
X-W3C-Hub-Spam-Status: No, score=-7.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1m1vVO-00075S-7n b1b0e28184cf335cc792bd51daf89e08
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP request validation guidelines for implementers
Archived-At: <https://www.w3.org/mid/d0f5c770-4b43-b96f-28c0-318d0795e345@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/39003
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Am 09.07.2021 um 19:51 schrieb João Penteado: > ... > 2. If the most servers out there adopt the same validation order, clients will > gain additional information unavailable before. If, for instance, every server > checks URI length before checking payload size, and I get a "413 Request Entity > Too Large" error, I would know for sure that my URI length is fine and all the > previous checks passed successfully. > ... You lost me here. If a client sends both a too large URI *and* a too large request body, why does it matter in practice which one is reported first? At the end of the day, to fix the issue, both problems need to be resolved, no? Best regards, Julian
- HTTP request validation guidelines for implemente… João Penteado
- Re: HTTP request validation guidelines for implem… Rafal Pietrak
- Re: HTTP request validation guidelines for implem… Julian Reschke
- Re: HTTP request validation guidelines for implem… João Penteado
- Re: HTTP request validation guidelines for implem… Julian Reschke
- Re: HTTP request validation guidelines for implem… João Penteado
- Re: HTTP request validation guidelines for implem… Willy Tarreau