IETF Logo Mail Archive

Re: Call for Adoption: draft-reschke-rfc54987bis

Willy Tarreau <w@1wt.eu> Tue, 31 March 2015 05:46 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D27A1B2AAD for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 30 Mar 2015 22:46:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gDHE1qG7oVxm for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 30 Mar 2015 22:46:37 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AC561B2AAA for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 30 Mar 2015 22:46:37 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1YcoxL-0005UZ-A0 for ietf-http-wg-dist@listhub.w3.org; Tue, 31 Mar 2015 05:43:19 +0000
Resent-Date: Tue, 31 Mar 2015 05:43:19 +0000
Resent-Message-Id: <E1YcoxL-0005UZ-A0@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <w@1wt.eu>) id 1YcoxD-0005TH-5g for ietf-http-wg@listhub.w3.org; Tue, 31 Mar 2015 05:43:11 +0000
Received: from wtarreau.pck.nerim.net ([62.212.114.60] helo=1wt.eu) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1YcoxB-0004MJ-Mi for ietf-http-wg@w3.org; Tue, 31 Mar 2015 05:43:11 +0000
Received: (from willy@localhost) by pcw.home.local (8.14.3/8.14.3/Submit) id t2V5gjwK007080; Tue, 31 Mar 2015 07:42:45 +0200
Date: Tue, 31 Mar 2015 07:42:45 +0200
From: Willy Tarreau <w@1wt.eu>
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20150331054245.GB7069@1wt.eu>
References: <1C7436D4-D1EF-454C-BC14-E8C00165AA2E@mnot.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1C7436D4-D1EF-454C-BC14-E8C00165AA2E@mnot.net>
User-Agent: Mutt/1.4.2.3i
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-5.0
X-W3C-Hub-Spam-Report: AWL=-1.073, BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1YcoxB-0004MJ-Mi 1d3600a181442eefbbbfcacd297697a3
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Call for Adoption: draft-reschke-rfc54987bis
Archived-At: <http://www.w3.org/mid/20150331054245.GB7069@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29113
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Tue, Mar 31, 2015 at 03:08:06PM +1100, Mark Nottingham wrote:
> We discussed this document in Dallas:
>   <http://tools.ietf.org/html/draft-reschke-rfc5987bis>
> 
> Based on the feedback received, I believe that we should adopt this document
> as a WG product, with a target of Proposed Standard.
> 
> I've discussed it with our Area Director, who agrees that it's a reasonable
> thing for us to do.
> 
> Since this is a bis effort with a primary aim of aligning with RFC723x, I
> think we can do this relatively quickly, with a target of going to IETF LC by
> Prague.
> 
> Please comment on-list; we???ll make a decision about adoption at the end of
> the week.

After a quick review, I think we should make it stricter. Currently,
it suggests that recipients should be prepared to receive invalid code
sequences but that can be dangerous when passing through multiple
intermediaries because all of them could have different fallback
methods. I'd rather make it clear that any recipient in the chain
which finds an encoding issue must return a 400 bad req.

Also, I'd prefer to make it explicitly forbidden to %-encode US-ASCII
characters because this could be used to bypass some WAFs for example :
if it is detected that a server implements this standard and is able
to %-decode some attributes in header fields, and a WAF in the middle
does not, the client can abuse the %-encoding to try to hide some
activities.

In addition to this, probably that we should make it clear that some
characters must not be emitted nor encoded (NUL, CR, LF). The risk is
that some intermediaries decode them and replace them before passing
the request to the next hop and change the message header structure,
resulting in issues similar to HTTP request smugling attacks.

Otherwise I think it could be useful indeed.

Thanks,
Willy

v2.23.0 | Report a Bug | By Email