IETF Logo Mail Archive

RE: [Uri-review] Request for review

Andrey Shur <andreysh@exchange.microsoft.com> Tue, 23 May 2006 16:30 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FiZm1-00076y-O2; Tue, 23 May 2006 12:30:21 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FiZm1-00076t-1P for uri-review@ietf.org; Tue, 23 May 2006 12:30:21 -0400
Received: from mail4.exchange.microsoft.com ([131.107.1.99]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FiZls-0006d5-9J for uri-review@ietf.org; Tue, 23 May 2006 12:30:20 -0400
Received: from df-hub-01.exchange.corp.microsoft.com ([157.54.69.171]) by mail4.exchange.microsoft.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 23 May 2006 09:30:11 -0700
Received: from df-bhd-02.exchange.corp.microsoft.com ([157.54.71.211]) by df-hub-01.exchange.corp.microsoft.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Tue, 23 May 2006 09:30:11 -0700
X-MS-Exchange-Organization-AuthDomain:
From: Andrey Shur <andreysh@exchange.microsoft.com>
To: Martin Duerst <duerst@it.aoyama.ac.jp>, Mark Baker <distobj@acm.org>
Date: Tue, 23 May 2006 09:30:12 -0700
Subject: RE: [Uri-review] Request for review
Thread-Topic: [Uri-review] Request for review
Thread-Index: AcZ+FwBiytFkIHUYQ561iYDvzileGgAKxhfw
Message-ID: <1D4A05136773CF4DB373F6FE4E103150110EEEB9@df-pug-msg.exchange.corp.microsoft.com>
In-Reply-To: <6.0.0.20.2.20060523114617.0860fa00@localhost>
Accept-Language: en-US
X-MS-Has-Attach:
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:
AcceptLanguage: en-US
x-ms-exchange-organization-authmechanism: SecureMapiSubmit
x-ms-exchange-organization-authsource: df-bhd-02.exchange.corp.microsoft.com
x-ms-exchange-organization-authas: Internal
x-recipient-p2-type: Cc
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 23 May 2006 16:30:11.0462 (UTC) FILETIME=[298F6A60:01C67E86]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 68ba2b07ef271dba6ee42a93832cfa4c
Cc: "John Calhoon (LCA)" <john.calhoon@microsoft.com>, Ted, Hardie <hardie@qualcomm.com>, "uri-review@ietf.org" <uri-review@ietf.org>, Jerry Dunietz <jerryd@windows.microsoft.com>, Gregg Brown <greggb@microsoft.com>, "Jerry@scmailgw1.scop.aoyama.ac.jp" <Jerry@scmailgw1.scop.aoyama.ac.jp>
X-BeenThere: uri-review@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Proposed URI Schemes <uri-review.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/uri-review>, <mailto:uri-review-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:uri-review@ietf.org>
List-Help: <mailto:uri-review-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/uri-review>, <mailto:uri-review-request@ietf.org?subject=subscribe>
Errors-To: uri-review-bounces@ietf.org

Hi Martin,

thank you for the feedback. You have raised the number of points, but before going through them let me describe how relative references in a part's content are resolved according to the Open Packaging Conventions (OPC) technology (which "pack:" Uri scheme is a part of).

Let's take the package http://www.mysite.com/my.package. The package holds a number of parts; the part named /bar.xml holds relative references "../../foo.ext" and "/path/foo.ext".

OPC defines the base Uri of the part named /bar.xml as pack://http%3c,,www.mysite.com,my.package/bar.xml. Note that OPC only defines the base Uri of a part, the resolution of relative references follows the algorithm defined in RFC 3986 section 5.

If content of the part /bar.xml does not hold explicit instructions defining another base Uri (e.g. xml:base attribute), relative references are resolved against the base Uri of the part.

In our example:

Relative reference ../../foo.ext resolved against the base Uri = pack://http%3c,,www.mysite.com,my.package/bar.xml gives us pack://http%3c,,www.mysite.com,my.package/foo.ext. The obtained Uri identifies part named /foo.ext within the given package.

Relative reference /path/foo.ext resolved against the base Uri = pack://http%3c,,www.mysite.com,my.package/bar.xml gives us pack://http%3c,,www.mysite.com,my.package/path/foo.ext. The obtained Uri identifies part named /path/foo.ext within the given package.

We can see from these two examples that any relative reference (let's put network-path aside) being resolved against the base Uri of the part gives us the "pack:" Uri that identifies a part within the same package.

Regards,
Andrey Shur

-----Original Message-----
From: Martin Duerst [mailto:duerst@it.aoyama.ac.jp]
Sent: Monday, May 22, 2006 8:04 PM
To: Andrey Shur; Mark Baker
Cc: John Calhoon (LCA); Jerry@scmailgw1.scop.aoyama.ac.jp; Ted Hardie; uri-review@ietf.org; Jerry Dunietz; Gregg Brown
Subject: RE: [Uri-review] Request for review

Hello Andrey,

At 11:08 06/05/23, Andrey Shur wrote:
>Mark,
>
>Thank you for the question. I can see two parts of it that should be answered:
>
>First, why do we consider "any relative reference"? Actually we expect
>users of the packaging technology to store manifold content in the package parts.

Of course.

>Certain kinds of the content may hold relative references.

Yes of course. But you don't have any guarantee that the
content referenced will be part of the package. So if a
user wants to create a 'self-contained' (meaning no
external relative references) package, either the user
(manually, or with dedicated scripts,...) or the packaging
software has to check all the references anyway.
Such a check is only marginally simplified by the
fact that there is a way to rewrite these relative
references so that any in-package relative reference
can start with a single slash, and out-of package
relative refences cannot be converted.


>We don't want to limit our customers to a particular form of relative
>references.

If you want to make use of the specific properties of your
scheme, you have to rewrite relative references anyhow, in
which case it doesn't make much of a difference.

Let's say the user uses something like ../../foo.ext.
If this is in-package, you can leave it as that. If it
is out-of-package, and you want to restrict such links,
you have to raise an error (or do something else according
to user preferences).

Let's say the user uses something like /path/foo.ext.
Again, this could be in-package or out of package. You have
to check, and if necessary rewrite it.


>Second, why do we have a goal to "keep relative references within the
>package"? This is all about security. An application performing regular
>(default) resolution of relative references should not access resources
>outside of the package.

But the syntax you came up with doesn't guarantee this, as you
showed with the ../../../foo.ext example.

Trying to get security with the syntax, when you actually don't have
that security and therefore need to check things anyway on the
receiving end and/or on the production end doesn't make much sense
to me.

Also, the additional potential security threads created by
an additional escaping layer should be considered.


>If an application needs to access external resources, it must be
>explicitly defined in the content by specifying an appropriate base Uri

So basically all the security precautions can be circumvented
by using a base URI? Again, security has to be checked on
resolution. Trying to build it into the syntax doesn't work.


>or by using network-path form of the relative reference.

Using a network-path reference means to use the same scheme as
used previously, which means the pack: scheme. As said in
RFC 3986, network-path references are rare anyway.
You don't mention absolute URIs. Are they allowed or not?

Regards,    Martin.




#-#-#  Martin J. Du"rst, Assoc. Professor, Aoyama Gakuin University
#-#-#  http://www.sw.it.aoyama.ac.jp       mailto:duerst@it.aoyama.ac.jp


_______________________________________________
Uri-review mailing list
Uri-review@ietf.org
https://www1.ietf.org/mailman/listinfo/uri-review

v2.23.0 | Report a Bug | By Email