Re: #409: is parsing OBS-FOLD mandatory?
Mark Nottingham <mnot@mnot.net> Sun, 20 January 2013 09:29 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31D2521F84FB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 20 Jan 2013 01:29:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.248
X-Spam-Level:
X-Spam-Status: No, score=-9.248 tagged_above=-999 required=5 tests=[AWL=1.351, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dXfm47g6a+9q for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 20 Jan 2013 01:29:10 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 449D921F84FC for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 20 Jan 2013 01:29:09 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1TwrBM-0002vS-8E for ietf-http-wg-dist@listhub.w3.org; Sun, 20 Jan 2013 09:27:16 +0000
Resent-Date: Sun, 20 Jan 2013 09:27:16 +0000
Resent-Message-Id: <E1TwrBM-0002vS-8E@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1TwrBI-0002uj-6Q for ietf-http-wg@listhub.w3.org; Sun, 20 Jan 2013 09:27:12 +0000
Received: from mxout-07.mxes.net ([216.86.168.182]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1TwrBH-0000lJ-2O for ietf-http-wg@w3.org; Sun, 20 Jan 2013 09:27:12 +0000
Received: from [192.168.1.80] (unknown [118.209.240.13]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 116B022E255; Sun, 20 Jan 2013 04:26:47 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <20130120074434.GH6838@1wt.eu>
Date: Sun, 20 Jan 2013 20:26:42 +1100
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, Roy Fielding <fielding@gbiv.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <85B3A89F-264E-4BED-9D76-2E0F3B9BB4EC@mnot.net>
References: <12F24972-5720-40B7-BF17-3A1955752199@mnot.net> <1D461B53-7FF5-41EB-A891-5B309F116DF0@gbiv.com> <20121212211838.GC19220@1wt.eu> <3BDA9E87-5771-49D3-A739-AA1B1F179484@mnot.net> <20121219071858.GD21050@1wt.eu> <2536D335-9BA5-49E2-B49A-2475C069E4D8@mnot.net> <8ADB8661-7EBB-429A-80BD-F38884751882@mnot.net> <20130120074434.GH6838@1wt.eu>
To: Willy Tarreau <w@1wt.eu>
X-Mailer: Apple Mail (2.1499)
Received-SPF: pass client-ip=216.86.168.182; envelope-from=mnot@mnot.net; helo=mxout-07.mxes.net
X-W3C-Hub-Spam-Status: No, score=-4.2
X-W3C-Hub-Spam-Report: AWL=-2.346, BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1TwrBH-0000lJ-2O b978fff4dfb71c5319e77f12b0ecba74
X-Original-To: ietf-http-wg@w3.org
Subject: Re: #409: is parsing OBS-FOLD mandatory?
Archived-At: <http://www.w3.org/mid/85B3A89F-264E-4BED-9D76-2E0F3B9BB4EC@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/16040
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 20/01/2013, at 6:44 PM, Willy Tarreau <w@1wt.eu> wrote: > Hi Mark, > > Sorry for being silent so long, I was quite busy last two weeks :-/ > > On Sun, Jan 20, 2013 at 01:37:26PM +1100, Mark Nottingham wrote: >> Anyone? Bueller? >> >> To make it clear -- I propose we downgrade recipient support for OBS-FOLD to >> a prose recommendation. > > Given the security impact it can have if processed the lazy way, we must at > least have something normative. Practically, I don't know how this can be > put into valid terms in a spec, but I'd like to see something which mandates > detecting OBS-FOLD and then leaves the choice to the implementation to accept > it or to reject the message. What I don't want to see is implementations which > consider that the space is part of the next header field name, and which later > trim the spaces and take this header field for another one. And we know for > sure that lazy implementations are lazy in multiple areas (typically all > those quickly written in scripting languages). Understood. I think it's a matter of either parsing obs-fold, or rejecting a message that has whitespace after a newline... Current: """ Historically, HTTP header field values could be extended over multiple lines by preceding each extra line with at least one space or horizontal tab (obs-fold). This specification deprecates such line folding except within the message/http media type (Section 7.3.1). Senders MUST NOT generate messages that include line folding (i.e., that contain any field-value that matches the obs-fold rule) unless the message is intended for packaging within the message/http media type. Recipients MUST accept line folding and replace any embedded obs-fold whitespace with either a single SP or a matching number of SP octets (to avoid buffer copying) prior to interpreting the field value or forwarding the message downstream. """ Proposal: """ Historically, HTTP header field values could be extended over multiple lines by preceding each extra line with at least one space or horizontal tab (obs-fold). This specification deprecates such line folding except within the message/http media type (Section 7.3.1). Senders MUST NOT generate messages that include line folding (i.e., that contain any field-value that matches the obs-fold rule) unless the message is intended for packaging within the message/http media type. Recipients MUST either: - accept line folding and replace any embedded obs-fold whitespace with either a single SP or a matching number of SP octets (to avoid buffer copying) prior to interpreting the field value or forwarding the message downstream, or - reject a message with line folding present. Servers can do for requests by responding with 400 Bad Request and a representation explaining the condition; clients can only discard the message. In particular, recipients who choose not to implement obs-fold processing (as described above) MUST NOT accept messages containing headers with leading whitespace, as this can expose them to attacks that exploit this difference in processing. """ -- Mark Nottingham http://www.mnot.net/
- #409: is parsing OBS-FOLD mandatory? Mark Nottingham
- Re: #409: is parsing OBS-FOLD mandatory? Amos Jeffries
- Re: #409: is parsing OBS-FOLD mandatory? Willy Tarreau
- Re: #409: is parsing OBS-FOLD mandatory? Roy T. Fielding
- Re: #409: is parsing OBS-FOLD mandatory? Willy Tarreau
- Re: #409: is parsing OBS-FOLD mandatory? Amos Jeffries
- Re: #409: is parsing OBS-FOLD mandatory? Mark Nottingham
- Re: #409: is parsing OBS-FOLD mandatory? Mark Nottingham
- Re: #409: is parsing OBS-FOLD mandatory? Willy Tarreau
- Re: #409: is parsing OBS-FOLD mandatory? Mark Nottingham
- Re: #409: is parsing OBS-FOLD mandatory? Willy Tarreau
- Re: #409: is parsing OBS-FOLD mandatory? Mark Nottingham
- Re: #409: is parsing OBS-FOLD mandatory? Mark Nottingham
- Re: #409: is parsing OBS-FOLD mandatory? Willy Tarreau
- Re: #409: is parsing OBS-FOLD mandatory? Mark Nottingham
- Re: #409: is parsing OBS-FOLD mandatory? Willy Tarreau