Re: p1: whitespace in request-target
Willy Tarreau <w@1wt.eu> Sun, 19 May 2013 21:52 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DD0021F8EAF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 19 May 2013 14:52:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wcg-Umj50D4E for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 19 May 2013 14:52:24 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 34E6421F8746 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 19 May 2013 14:52:23 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UeBVR-0006TX-Ju for ietf-http-wg-dist@listhub.w3.org; Sun, 19 May 2013 21:51:05 +0000
Resent-Date: Sun, 19 May 2013 21:51:05 +0000
Resent-Message-Id: <E1UeBVR-0006TX-Ju@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1UeBVB-0006Si-Bf for ietf-http-wg@listhub.w3.org; Sun, 19 May 2013 21:50:49 +0000
Received: from 1wt.eu ([62.212.114.60]) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1UeBVA-00006u-GK for ietf-http-wg@w3.org; Sun, 19 May 2013 21:50:49 +0000
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id r4JLmluB008824; Sun, 19 May 2013 23:48:47 +0200
Date: Sun, 19 May 2013 23:48:47 +0200
From: Willy Tarreau <w@1wt.eu>
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Mark Nottingham <mnot@mnot.net>, Amos Jeffries <squid3@treenet.co.nz>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <20130519214847.GE8651@1wt.eu>
References: <2183465A-F833-4701-A55C-EC105A36329E@mnot.net> <516F6CF9.30709@treenet.co.nz> <84716645-4097-4014-BB4A-3A8C5BF5DD4E@mnot.net> <20130430055251.GC21517@1wt.eu> <04F00D4A-09EE-4729-AB44-EAD26522192E@gbiv.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <04F00D4A-09EE-4729-AB44-EAD26522192E@gbiv.com>
User-Agent: Mutt/1.4.2.3i
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-3.6
X-W3C-Hub-Spam-Report: AWL=-2.525, RP_MATCHES_RCVD=-1.07, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UeBVA-00006u-GK a2c50a9c64672b2c460a6d38badbf4e0
X-Original-To: ietf-http-wg@w3.org
Subject: Re: p1: whitespace in request-target
Archived-At: <http://www.w3.org/mid/20130519214847.GE8651@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18029
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi Roy, On Sun, May 19, 2013 at 12:58:47PM -0700, Roy T. Fielding wrote: (...) > The text currently in p1 (latest) is > > The request-target identifies the target resource upon which to apply > the request, as defined in Section 5.3. > > Recipients typically parse the request-line into its component parts > by splitting on whitespace (see Section 3.5), since no whitespace is > allowed in the three components. Unfortunately, some user agents > fail to properly encode or exclude whitespace found in hypertext > references, resulting in those disallowed characters being sent in a > request-target. > > Recipients of an invalid request-line SHOULD respond with either a > 400 (Bad Request) error or a 301 (Moved Permanently) redirect with > the request-target properly encoded. Recipients SHOULD NOT attempt > to autocorrect and then process the request without a redirect, since > the invalid request-line might be deliberately crafted to bypass > security filters along the request chain. > > I think the requirement is adequately explained. Yes, I remember it now, it was already discussed several months ago. > It is a SHOULD instead > of a MUST because there was no specific error handling defined for this > case in 2616. Well, it says at 3.2.1 that the format of RFC2396 applies to URIs, and 2396 explicitly excludes spaces and control characters from allowed characters used in URIs. In 5.1, 2616 says : Request-Line = Method SP Request-URI SP HTTP-Version CRLF, Request-URI = "*" | absoluteURI | abs_path | authority And unless I missed something, none of them was allowed to contain a space (except SP of course :-)). Is this because of the following sentence a few lines below that you're saying the error handling was not defined ? "Servers SHOULD respond to invalid Request-URIs with an appropriate status code." Because then I agree that I found nothing mandating anyone to return 400 when receiving an invalid request, which is a bit sad but we'll have to live with this I guess :-/ Best regards, Willy
- p1: whitespace in request-target Mark Nottingham
- Re: p1: whitespace in request-target Amos Jeffries
- Re: p1: whitespace in request-target Willy Tarreau
- #443: p1: whitespace in request-target Mark Nottingham
- Re: p1: whitespace in request-target Mark Nottingham
- Re: p1: whitespace in request-target Willy Tarreau
- #443: whitespace in request-target Mark Nottingham
- Re: p1: whitespace in request-target Roy T. Fielding
- Re: p1: whitespace in request-target Willy Tarreau