Re: Benjamin Kaduk's Discuss on draft-ietf-httpbis-header-structure-18: (with DISCUSS and COMMENT)

Mark Nottingham <mnot@mnot.net> Thu, 21 May 2020 02:39 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DAF33A09C7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 20 May 2020 19:39:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.749
X-Spam-Level:
X-Spam-Status: No, score=-2.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=xLfazngk; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=Imz1rp9v
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p-mqfKu4Ik2O for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 20 May 2020 19:39:00 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC0073A09C1 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 20 May 2020 19:38:59 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jbb6Y-0005yU-LF for ietf-http-wg-dist@listhub.w3.org; Thu, 21 May 2020 02:38:42 +0000
Resent-Date: Thu, 21 May 2020 02:38:42 +0000
Resent-Message-Id: <E1jbb6Y-0005yU-LF@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mnot@mnot.net>) id 1jbb6W-0005ww-Lf for ietf-http-wg@listhub.w3.org; Thu, 21 May 2020 02:38:41 +0000
Received: from out1-smtp.messagingengine.com ([66.111.4.25]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mnot@mnot.net>) id 1jbb6U-0006Vt-Mj for ietf-http-wg@w3.org; Thu, 21 May 2020 02:38:40 +0000
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id ECC135C00A8; Wed, 20 May 2020 22:38:27 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Wed, 20 May 2020 22:38:27 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm2; bh=y L1s+mqbQ9MMGctTN0Ehw+tM//mXp28Zt36yh3xbY0c=; b=xLfazngkJvxguQMYQ muPB1mDV18rTzRoTrOmeKGWGojNZ4vJtwH4X3vK/DeuM7HaGejyLPsalF71xVQHS V71j33H8fai58oOemA8AmA4INldG898gHCIU0OXwEqoPcDBB9f9DfphYRFo0mPaf Fp2Bp1I2G7PEoQQIlBWWSjqlIf6+VuHESCC+mfpecgFa41Yo5qvfLJeh9gp83EMQ 3nhjBuDow63/c/vD3jzK21PCaER4o2ve9AsW4tkLWLivYcoivvNGn7PlfWlJZhrg OB5drmyAD/MxAs3r0o3MVdiir51k/MsEr/DEfEbJRZWzZfT6IKpf2tIXQwjq6Wh3 VCMFg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=yL1s+mqbQ9MMGctTN0Ehw+tM//mXp28Zt36yh3xbY 0c=; b=Imz1rp9vNbeAHiUzB5Y3WPscjITPBQmfxwFnGxGjFNiFt7Iu0VoZj7svg varAArdYSOdawv/uwQNPBO/23ncSlb7M2W4VoprlZpK4eyV9xoiKZQPG3/ucU3nU 6I3SbJ1yiGhZIm3W563Tte2NUI74z3jIN9+9v4YGr/ed8F4OahdSiK3ExK69Xvnn KGAxIBynxYaS991RNWU1DjRizUVqTiMszit+c9vWCda9fISALCR/+IsQbyjJA6O3 bxekFjM93ucPr2zXkVzMxL3MMdi6Zp1LBDTZOxzEPieibMixOrG36fPDcHwfLbKJ lgcYSMewkYuU0Mpq95ch1RaRQ5buw==
X-ME-Sender: <xms:ounFXtkxALpS4OViMUKaGQzAfoHkgS87A5rgAa_-pyZ5StEi5exdMw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedruddutddgheelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheptggguffhjgffgffkfhfvofesthhqmhdthhdtvdenucfhrhhomhepofgrrhhk ucfpohhtthhinhhghhgrmhcuoehmnhhothesmhhnohhtrdhnvghtqeenucggtffrrghtth gvrhhnpeelffdvueevffffkeeggfffueegheelkeekteejlefhleekveekudeiieevvdet gfenucffohhmrghinhepghhithhhuhgsrdgtohhmpdhmnhhothdrnhgvthenucfkphepud duledrudejrdduheekrddvhedunecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghm pehmrghilhhfrhhomhepmhhnohhtsehmnhhothdrnhgvth
X-ME-Proxy: <xmx:ounFXo1L4MgJQ7gHIMnSDcahrFVX_-UjL4ES11QOxV6HbfxZuhlPbg> <xmx:ounFXjoxve6sgwIrfKZCOzCg5h9CZWwJranMu9UV8v4oO9KKrJQ54g> <xmx:ounFXtl9I5P8bq4h5mihqWRcO8MP9gO6k2PQ8uO5yGzt5X5XbHG_tA> <xmx:o-nFXr_XGvnCivSdEebKXRuypAUSrcHNqcy1uvKoqOxpU41X6wgfeQ>
Received: from macbook-air.mnot.net (119-17-158-251.77119e.mel.static.aussiebb.net [119.17.158.251]) by mail.messagingengine.com (Postfix) with ESMTPA id CB650328005D; Wed, 20 May 2020 22:38:24 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <20200520162305.GA58497@kduck.mit.edu>
Date: Thu, 21 May 2020 12:38:21 +1000
Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-header-structure@ietf.org, httpbis-chairs@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, Tommy Pauly <tpauly@apple.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <616FDD30-CB82-4E08-82D2-646283D0AF12@mnot.net>
References: <158985680600.32294.14997877272521602557@ietfa.amsl.com> <CFC9B0CA-6125-4705-A13E-F2260F3EC3A5@mnot.net> <20200519170036.GN58497@kduck.mit.edu> <FB915609-4CD1-416A-98AD-3950BF3BE09C@mnot.net> <20200520153858.GZ58497@kduck.mit.edu> <20200520162305.GA58497@kduck.mit.edu>
To: Benjamin Kaduk <kaduk@mit.edu>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Received-SPF: pass client-ip=66.111.4.25; envelope-from=mnot@mnot.net; helo=out1-smtp.messagingengine.com
X-W3C-Hub-Spam-Status: No, score=-9.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1jbb6U-0006Vt-Mj b0d2b2d4d77c46256b5825c151f1f45a
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Benjamin Kaduk's Discuss on draft-ietf-httpbis-header-structure-18: (with DISCUSS and COMMENT)
Archived-At: <https://www.w3.org/mid/616FDD30-CB82-4E08-82D2-646283D0AF12@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37690
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Thanks, Ian C also caught this. Corrected in <https://github.com/httpwg/http-extensions/commit/c23df1c8>.

> On 21 May 2020, at 2:23 am, Benjamin Kaduk <kaduk@mit.edu> wrote:
> 
> On Wed, May 20, 2020 at 08:39:03AM -0700, Benjamin Kaduk wrote:
>> 
>>>>>> Section 6
>>>>>> 
>>>>>> It seems worth mentioning the handling for duplicated key names (e.g.,
>>>>>> in parameters and dictionaries) w.r.t. overwrite or must-be-unique, and
>>>>>> how there have been previous vulnerabilities relating to different
>>>>>> implementations choosing "first one wins" vs. "last one wins".
>>>>> 
>>>>> That doesn't seem to apply to a correct implementation, only to headers that *aren't* structured fields.
>>>> 
>>>> It's still motivation for why we are making the choices we did and a
>>>> benefit that structured headers have over the existing mechanisms.
>>> 
>>> Right, but that doesn't seem appropriate in Security Considerations; it's more Introduction / motivating material.
>>> 
>>>> Also, it seems to explicitly apply to parameter map keys (per the earlier
>>>> discussion).
>>> 
>>> I've added a note to this effect in the Dictionary and Parameter parsing algorithms; see latest commit.
> 
> Hmm, the note says this discards duplicates after the first one, but the
> procedures say to overwrite an existing value.  Shouldn't the note say
> something else?
> 
> -Ben

--
Mark Nottingham   https://www.mnot.net/