Re: p1: whitespace in request-target

Willy Tarreau <w@1wt.eu> Tue, 30 April 2013 05:55 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9128E21F9C55 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 29 Apr 2013 22:55:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2YtCH1LIfTfw for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 29 Apr 2013 22:55:35 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 4F5A821F9C50 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 29 Apr 2013 22:55:35 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UX3Wu-0006Mn-53 for ietf-http-wg-dist@listhub.w3.org; Tue, 30 Apr 2013 05:55:08 +0000
Resent-Date: Tue, 30 Apr 2013 05:55:08 +0000
Resent-Message-Id: <E1UX3Wu-0006Mn-53@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1UX3Wk-00056X-Bk for ietf-http-wg@listhub.w3.org; Tue, 30 Apr 2013 05:54:58 +0000
Received: from 1wt.eu ([62.212.114.60]) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1UX3Wh-00028O-Ln for ietf-http-wg@w3.org; Tue, 30 Apr 2013 05:54:57 +0000
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id r3U5qpJL021552; Tue, 30 Apr 2013 07:52:51 +0200
Date: Tue, 30 Apr 2013 07:52:51 +0200
From: Willy Tarreau <w@1wt.eu>
To: Mark Nottingham <mnot@mnot.net>
Cc: Amos Jeffries <squid3@treenet.co.nz>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <20130430055251.GC21517@1wt.eu>
References: <2183465A-F833-4701-A55C-EC105A36329E@mnot.net> <516F6CF9.30709@treenet.co.nz> <84716645-4097-4014-BB4A-3A8C5BF5DD4E@mnot.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <84716645-4097-4014-BB4A-3A8C5BF5DD4E@mnot.net>
User-Agent: Mutt/1.4.2.3i
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-5.2
X-W3C-Hub-Spam-Report: AWL=-0.882, BAYES_00=-1.9, RP_MATCHES_RCVD=-2.442, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UX3Wh-00028O-Ln 17f32c72ce0671c5cba31443544e69d2
X-Original-To: ietf-http-wg@w3.org
Subject: Re: p1: whitespace in request-target
Archived-At: <http://www.w3.org/mid/20130430055251.GC21517@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17714
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Tue, Apr 30, 2013 at 01:18:43PM +1000, Mark Nottingham wrote:
> So, I'm not hearing you say "don't make this a MUST" -- just noting that some
> broken software out there; correct?

Amos' last sentence makes me understand "please don't make this a MUST" :

> The actual security worst-case risk of this undeterminable, but its
> not going to be good for the transaction at the best of times

And I also agree with him that the wording currently is ambiguous because
it can either be understood as "servers and intermediaries should do this
since they're accepting user-typed URIs" or as "clients should fix user-
typed requests before sending".

Thus in order to avoid any ambiguity, I would propose two sentences instead
of one :

>   For robustness, software that accepts user-typed URI should attempt
>   to recognize and strip both delimiters and embedded whitespace.

Would become :

    Clients MUST NOT send user-typed delimiters and embedded whitespaces
    as-is in URIs, and SHOULD either encode them, strip them. Alternatively
    they MAY simply refuse to perform the request.

    Servers and intermediaries MUST NOT try to fix embedded spaces and
    delimiters in URIs, as doing so could lead to interoperability issues
    and make several components in the chain understand different things.
    When a request does not parse exactly as defined in the ABNF, an error
    400 (Bad Request) MUST be returned to the client.

Comments ?

Willy