IETF Logo Mail Archive

Re: Call for Adoption: draft-reschke-rfc5987bis

Willy Tarreau <w@1wt.eu> Tue, 31 March 2015 08:22 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9EC21A90F1 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 31 Mar 2015 01:22:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.612
X-Spam-Level:
X-Spam-Status: No, score=-6.612 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0NVsfu-eoTO6 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 31 Mar 2015 01:22:52 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 137D51A1B87 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 31 Mar 2015 01:22:51 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1YcrOa-0008GG-Ol for ietf-http-wg-dist@listhub.w3.org; Tue, 31 Mar 2015 08:19:36 +0000
Resent-Date: Tue, 31 Mar 2015 08:19:36 +0000
Resent-Message-Id: <E1YcrOa-0008GG-Ol@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <w@1wt.eu>) id 1YcrOU-0008FO-FM for ietf-http-wg@listhub.w3.org; Tue, 31 Mar 2015 08:19:30 +0000
Received: from wtarreau.pck.nerim.net ([62.212.114.60] helo=1wt.eu) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1YcrOT-00023N-I1 for ietf-http-wg@w3.org; Tue, 31 Mar 2015 08:19:30 +0000
Received: (from willy@localhost) by pcw.home.local (8.14.3/8.14.3/Submit) id t2V8J1wp007187; Tue, 31 Mar 2015 10:19:01 +0200
Date: Tue, 31 Mar 2015 10:19:01 +0200
From: Willy Tarreau <w@1wt.eu>
To: "Martin J. Dürst" <duerst@it.aoyama.ac.jp>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20150331081901.GA7183@1wt.eu>
References: <1C7436D4-D1EF-454C-BC14-E8C00165AA2E@mnot.net> <20150331054245.GB7069@1wt.eu> <551A534F.5080702@it.aoyama.ac.jp>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <551A534F.5080702@it.aoyama.ac.jp>
User-Agent: Mutt/1.4.2.3i
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-5.0
X-W3C-Hub-Spam-Report: AWL=-1.073, BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1YcrOT-00023N-I1 95a036af1701b1e555b1ce2c9f9b415b
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Call for Adoption: draft-reschke-rfc5987bis
Archived-At: <http://www.w3.org/mid/20150331081901.GA7183@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29115
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Tue, Mar 31, 2015 at 04:57:03PM +0900, "Martin J. Dürst" wrote:
> On 2015/03/31 14:42, Willy Tarreau wrote:
> >Also, I'd prefer to make it explicitly forbidden to %-encode US-ASCII
> >characters because this could be used to bypass some WAFs for example :
> >if it is detected that a server implements this standard and is able
> >to %-decode some attributes in header fields, and a WAF in the middle
> >does not, the client can abuse the %-encoding to try to hide some
> >activities.
> 
> This makes a lot of sense, but we have to be careful that this doesn't 
> apply to all US-ASCII characters; there will be some that have to be 
> escaped because of syntactic constraints.

Absolutely, I was making a general point. For sure, commas, semi-colons,
spaces, tabs, quotes for example should be encoded.

Willy

v2.31.3 | Report a Bug | By Email | System Status