Re: [Technical Errata Reported] RFC9112 (7633)
Julian Reschke <julian.reschke@gmx.de> Tue, 10 October 2023 05:20 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DA97C1AE9C6 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 9 Oct 2023 22:20:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.148
X-Spam-Level:
X-Spam-Status: No, score=-5.148 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, NICE_REPLY_A=-0.091, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iB5EgSZcIQYT for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 9 Oct 2023 22:20:06 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FEA5C1AE9C4 for <httpbisa-archive-bis2Juki@ietf.org>; Mon, 9 Oct 2023 22:19:26 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1qq56H-00EZo3-5i for ietf-http-wg-dist@listhub.w3.org; Tue, 10 Oct 2023 05:16:09 +0000
Resent-Date: Tue, 10 Oct 2023 05:16:09 +0000
Resent-Message-Id: <E1qq56H-00EZo3-5i@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <julian.reschke@gmx.de>) id 1qq56F-00EZmx-61 for ietf-http-wg@listhub.w3.org; Tue, 10 Oct 2023 05:16:07 +0000
Received: from mout.gmx.net ([212.227.17.21]) by titan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <julian.reschke@gmx.de>) id 1qq56A-00E6bw-SK for ietf-http-wg@w3.org; Tue, 10 Oct 2023 05:16:06 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1696914940; x=1697519740; i=julian.reschke@gmx.de; bh=uDNnpxHAQea9meP9ASHuzBKvznAyqmmBVt4aukETvvE=; h=X-UI-Sender-Class:Date:Subject:To:References:Cc:From:In-Reply-To; b=pfGqtjTz1SE4uYq582EbBkc1Gdj5BWuSPClYKXu6W7+javQjTc0Ib87c1rG8neAqJWcNB6/u0eL azfJglRINjGWAVKOALnKWU4xv9N5YXZ1jeYwbUBhKFoWQrc7Kq1HpXhWHqNTAyIxmTo1BtyfjpUHM scZoMc+yTGHTEszPs+wCRyu70n2gad16uAJnzv1aIbLnahhADUuMwL/OknlNs1S92ct8skdQq8kKp A5LANJb5dzr4dHZt1k9bWvCiCE6exA5/f2uq2pxPHlHpVZOMCzZJOA17QjIanhdni3iNRnjoM8Bxq ry23UC7Rkc4ARj/rAhU0nGUv2L/sKaWWzhTA==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [192.168.178.182] ([91.61.58.145]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MsYqp-1rjgiV0cDD-00u4TK; Tue, 10 Oct 2023 07:15:40 +0200
Message-ID: <86dfba58-96b5-885e-a3cb-fd09bf9c49eb@gmx.de>
Date: Tue, 10 Oct 2023 07:15:38 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1
Content-Language: en-US
To: RFC Editor <rfc-editor@rfc-editor.org>
References: <20230906010123.60DBBCD7E7@rfcpa.amsl.com> <B44E7AF6-DD63-47B0-B965-FD5BDEC1C897@gbiv.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Mark Nottingham <mnot@mnot.net>, Tommy Pauly <tpauly@apple.com>, "Roy T. Fielding" <fielding@gbiv.com>, Francesca Palombini <francesca.palombini@ericsson.com>
From: Julian Reschke <julian.reschke@gmx.de>
In-Reply-To: <B44E7AF6-DD63-47B0-B965-FD5BDEC1C897@gbiv.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:qcEAdJG2+3TF4SLPD3sbgM6Ehq3Ugud2KryRysw2lLCTONHZgd+ XHRzEhZ0nxJAyNKqryIqH2/ruoFXYjsLsT9CiO0bBO8LycvDhkn3Bd7bxpQFO/XQDXEhm0u a9PgnSaK/frGvgYc+sisrK63jo3tfpB4722MREObDJD24V4OD9oxbosM2CCqaSVkgnGP3SU HdYndts5t+1HQOxpb8jlA==
UI-OutboundReport: notjunk:1;M01:P0:17d1rSdj4I0=;JeReYIe2HD6M4R73fi0g+rC49jO 784F7y91AvASdJrgtl6ttMXB/an0SSES+kGCa0JjIZKLlbvDk6BNQodIerAiQUJCqZogI1T0r pXKOgIzcbPJEqccuguAtPGYxXr63nk+Mvd/2CitwTznhNxalh9TzCaGuIk7OayaJal46KZ8kY 9HpC7vzzHMGlAj5rQ3IAdaRGXpXo+MQM6qq3VEQeewjnQh1qqaJ2BqWvf1GPTHU2vgZ3qDUUh rP6nFOlkwuPMLOr8NV9QnXgxcJSEsT1wDwL7zEuCdPlWDDT9ckNCMQI5MTmz+EBQ1NMWlJ6/L NFbi/ZC0mecB+tAMz1dzwWD5KJjy/pjrq2LTZ1QqKS2qL4wGRWbSMlO1NRV/Fc4uKUc+TWti9 gkYW4ZK5MK/VYKiA6p+G/3METRqK3Krm/SBqgY4O6mH2F1wiP3eY4Phz2SrLcdo1nImUG73sL P59+tWgtXXf3Vn2JBvq6BVtJ3xvzxlLe7hDj/oswGboBlwrWQMkkeBCxxj0bzbhSljXVoU3oJ RDZKgGmAD7axFJP1JTbNhUqYOzW2eTpAHl/mKDLHyMQnUckvh4qtcNIKN73Nm1KT/nK2deWSj KYmtHmY4ZJl0l9kqApw3RUhJvjz/Q1uwU1yAbIZD9KmGBE5Y0NumG0xtsHBA5ZdGou9VMRQJv iVU6Ol+kbIPPaiSbmjnqxHLGKVCgYAtrFozMA7zCBigh/bb7NvjLEpBVJJ5GK5tqy++kCq5iZ zPLcwxp06I3qFJVJ4pVF0eM+UgI5L43+MaVzqn374dPljJksy49ioV5HDgk9GYdQt7qa/Agiq UBvkSt1y1NsgMMEBpUClzLDE9qXXAojhgGtVbdbANYt55XNkhXNumLYp44j/Yr1bxvIFqcqTZ zBWu3lY1gtlPRX7BvqK026ZQgOPe4IoFk4P255Ijsz09fNdhW4kBuhIlUYYXgSbFHMKV+ZazK AR+DzuSedhdJGzdzr7rUkMRySd4=
Received-SPF: pass client-ip=212.227.17.21; envelope-from=julian.reschke@gmx.de; helo=mout.gmx.net
X-W3C-Hub-DKIM-Status: validation passed: (address=julian.reschke@gmx.de domain=gmx.de), signature is good
X-W3C-Hub-DKIM-Status: validation passed: (address=julian.reschke@gmx.de domain=julian.reschke@gmx.de), signature is good
X-W3C-Hub-Spam-Status: No, score=-9.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-3.339, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1qq56A-00E6bw-SK 540312a5d677f1705db57aa05214e78c
X-Original-To: ietf-http-wg@w3.org
Subject: Re: [Technical Errata Reported] RFC9112 (7633)
Archived-At: <https://www.w3.org/mid/86dfba58-96b5-885e-a3cb-fd09bf9c49eb@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/51446
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Dear RFC Editor, could you please mark this erratum as "rejected"? Best regards, Julian On 06.09.2023 03:47, Roy T. Fielding wrote: > REJECT > > The difference was intentional. A chunked parser is not a start line or field parser (it is a message body parser) and it is supposed to be less forgiving because it does not have to retain backwards compatibility with 1.0 parsers. > > Hence, bare LF around the chunk sizes would be invalid and should result in the connection being marked as invalid. > > If an implementation chooses to ignore what is currently defined by the spec and somehow reads less of the content than it would have with CRLF, then it has more problems than this would fix. AFAICT, it’s not possible to turn that into an attack based only on whether the recipient accepts or rejects a chunked message. > > In any case, suggestions to further hardening of the chunked parser would have to be defined in that section, not here. > > ....Roy > > >> On Sep 5, 2023, at 6:04 PM, RFC Errata System <rfc-editor@rfc-editor.org> wrote: >> >> The following errata report has been submitted for RFC9112, >> "HTTP/1.1". >> >> -------------------------------------- >> You may review the report below and at: >> https://www.rfc-editor.org/errata/eid7633 >> >> -------------------------------------- >> Type: Technical >> Reported by: Amos Jeffries <squid3@treenet.co.nz> >> >> Section: 2.2 >> >> Original Text >> ------------- >> Although the line terminator for the start-line and fields is the >> sequence CRLF, a recipient MAY recognize a single LF as a line >> terminator and ignore any preceding CR. >> >> Corrected Text >> -------------- >> Although the line terminator for the start-line, fields, chunk >> and last-chunk is the sequence CRLF, a recipient MAY recognize >> a single LF as a line terminator and ignore any preceding CR. >> >> Notes >> ----- >> chunked encoding (section 6.3) uses CRLF for line/framing delimiters in the same manner as other HTTP message sections. But these lines are not listed as a possible sites of bare-LF line terminator. Which makes for an unnecessary parser exception and complicates possible request smuggling robustness between implementations. >> >> Instructions: >> ------------- >> This erratum is currently posted as "Reported". If necessary, please >> use "Reply All" to discuss whether it should be verified or >> rejected. When a decision is reached, the verifying party >> can log in to change the status and edit the report, if necessary. >> >> -------------------------------------- >> RFC9112 (draft-ietf-httpbis-messaging-19) >> -------------------------------------- >> Title : HTTP/1.1 >> Publication Date : June 2022 >> Author(s) : R. Fielding, Ed., M. Nottingham, Ed., J. Reschke, Ed. >> Category : INTERNET STANDARD >> Source : HTTP >> Area : Applications and Real-Time >> Stream : IETF >> Verifying Party : IESG >> >
- Re: [Technical Errata Reported] RFC9112 (7633) Julian Reschke