IETF Logo Mail Archive

Re: content inspection in absence of media type, was: [apps-discuss] APPSDIR review of draft-ietf-httpbis-p2-semantics-24

Julian Reschke <julian.reschke@gmx.de> Tue, 29 October 2013 14:12 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4494811E825F for <ietf@ietfa.amsl.com>; Tue, 29 Oct 2013 07:12:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.704
X-Spam-Level:
X-Spam-Status: No, score=-103.704 tagged_above=-999 required=5 tests=[AWL=-1.105, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KIWsfnWuJyY3 for <ietf@ietfa.amsl.com>; Tue, 29 Oct 2013 07:12:35 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by ietfa.amsl.com (Postfix) with ESMTP id 61EDA11E815F for <ietf@ietf.org>; Tue, 29 Oct 2013 07:12:34 -0700 (PDT)
Received: from [192.168.1.102] ([217.91.35.233]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MUHbK-1VAAy32Mjq-00Qwp4 for <ietf@ietf.org>; Tue, 29 Oct 2013 15:12:33 +0100
Message-ID: <526FC24D.7060704@gmx.de>
Date: Tue, 29 Oct 2013 15:12:29 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.0.1
MIME-Version: 1.0
To: S Moonesamy <sm+ietf@elandsys.com>, apps-discuss@ietf.org, draft-ietf-httpbis-p2-semantics.all@tools.ietf.org
Subject: Re: content inspection in absence of media type, was: [apps-discuss] APPSDIR review of draft-ietf-httpbis-p2-semantics-24
References: <6.2.5.6.2.20131027115007.07e32210@elandnews.com> <526E8B9E.8030006@gmx.de> <6.2.5.6.2.20131029050405.0caf8b40@elandnews.com>
In-Reply-To: <6.2.5.6.2.20131029050405.0caf8b40@elandnews.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:6vHzeACHppkj/0q0hAgrLDAw/9V7oveMcnxN9NLU99E3hsNsNX5 6Ri8x5NM+GFLzofOZO1F1+NJ6JbsQKsF/CMqnXNgwoaHfJ+1TnSBcmxFn9TaU90P91/ZNlJ PTyEULUbez3zd7HHNygjNWce2qaDZ6xEFyJInsv9ZLtYlc1Uxtee2Jx2RoOpDDOMnruhq+c e40VRAh8oArrlTINS63JQ==
Cc: ietf@ietf.org, iesg@ietf.org, ietf-http-wg@w3.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2013 14:12:40 -0000

On 2013-10-29 14:26, S Moonesamy wrote:
> Hi Julian,
> At 09:06 28-10-2013, Julian Reschke wrote:
>> On 2013-10-28 09:07, S Moonesamy wrote:
>> (which expired ~2 years ago)
>
> I guess that the working group gave up.  Please note that I did not
> suggest adding a reference.
>
>> Could you clarify what exactly the issue is?
>>
>> RFC 2616 said
>> (<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.7.2.1.p.4>):
>>
>>> Any HTTP/1.1 message containing an entity-body SHOULD include a
>>> Content-Type header field defining the media type of that body. If
>>> and only if the media type is not given by a Content-Type field, the
>>> recipient MAY attempt to guess the media type via inspection of its
>>> content and/or the name extension(s) of the URI used to identify the
>>> resource. If the media type remains unknown, the recipient SHOULD
>>> treat it as type "application/octet-stream".
>>
>> ...which isn't that different.
>
> The 'If the media type remains unknown, the recipient SHOULD treat it as
> type "application/octet-stream' from RFC 2616 is not in
> draft-ietf-httpbis-p2-semantics-24.

I consider that sentence to be useless - if I can't detect the type, 
what else but "treating as arbitrary data" is left as an option anyway?

> The issue is the "or examine the data to determine its type".  I'll
> comment about the text (Section 3.1.1.5) again.  The server has to
> generate a Content-Type header field unless the media type is unknown.

Yes.

> There is then a RFC 2119 "may" which is applicable when the (previous)
> RFC 2119 "should" cannot be applied.  My reading of the "may" is that
> the usage is not entirely correct.  I am not raising that as an issue.

I still don't get what the issue is :-)

> The issue is whether there is a security problem and whether there is
> adequate discussion of it (e.g. it is discussed in a Security
> Considerations section).

The subsequent text is:

"In practice, resource owners do not always properly configure their 
origin server to provide the correct Content-Type for a given 
representation, with the result that some clients will examine a 
payload's content and override the specified type. Clients that do so 
risk drawing incorrect conclusions, which might expose additional 
security risks (e.g., "privilege escalation"). Furthermore, it is 
impossible to determine the sender's intent by examining the data 
format: many data formats match multiple media types that differ only in 
processing semantics. Implementers are encouraged to provide a means of 
disabling such "content sniffing" when it is used."

Do you think this is insufficient, or that it needs to move to a 
different part of the spec?

Best regards, Julian

v2.23.0 | Report a Bug | By Email