Re: [websec] Minor feedback on draft-ietf-websec-mime-sniff-03
Willy Tarreau <w@1wt.eu> Sun, 15 January 2012 21:25 UTC
Return-Path: <w@1wt.eu>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF99F21F8480 for <websec@ietfa.amsl.com>; Sun, 15 Jan 2012 13:25:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.885
X-Spam-Level:
X-Spam-Status: No, score=-4.885 tagged_above=-999 required=5 tests=[AWL=-2.842, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3dBbnvSov7IC for <websec@ietfa.amsl.com>; Sun, 15 Jan 2012 13:25:59 -0800 (PST)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by ietfa.amsl.com (Postfix) with ESMTP id D942221F8475 for <websec@ietf.org>; Sun, 15 Jan 2012 13:25:58 -0800 (PST)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id q0FLPpWX007654; Sun, 15 Jan 2012 22:25:51 +0100
Date: Sun, 15 Jan 2012 22:25:51 +0100
From: Willy Tarreau <w@1wt.eu>
To: Adam Barth <ietf@adambarth.com>
Message-ID: <20120115212551.GK32205@1wt.eu>
References: <20120115195120.GG32205@1wt.eu> <CAJE5ia_gBJ=7DviO5hkmqnXHtC8ptHyKAMieBrFbVV-h9rQo9g@mail.gmail.com> <20120115204154.GH32205@1wt.eu> <CAJE5ia9vPmkMB-NkF-5PRzd2UZcrnSvmVPNYX3XvA80HMeVvEw@mail.gmail.com> <4F133E75.2000204@gmx.de> <CAJE5ia964ApHCz_B_EKmfEiXQ3xBM6A89RfQynLOe-F1YH6GXQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAJE5ia964ApHCz_B_EKmfEiXQ3xBM6A89RfQynLOe-F1YH6GXQ@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
X-Mailman-Approved-At: Sun, 15 Jan 2012 19:21:26 -0800
Cc: Julian Reschke <julian.reschke@gmx.de>, ian@hixie.ch, websec@ietf.org
Subject: Re: [websec] Minor feedback on draft-ietf-websec-mime-sniff-03
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jan 2012 21:25:59 -0000
On Sun, Jan 15, 2012 at 01:06:20PM -0800, Adam Barth wrote: > On Sun, Jan 15, 2012 at 1:00 PM, Julian Reschke <julian.reschke@gmx.de> wrote: > > On 2012-01-15 21:53, Adam Barth wrote: > >> On Sun, Jan 15, 2012 at 12:41 PM, Willy Tarreau<w@1wt.eu> wrote: > >>> On Sun, Jan 15, 2012 at 11:52:38AM -0800, Adam Barth wrote: > >>>> The requirement in the spec is what we intend. The rule applies only > >>>> to that exact octet sequence. > >>> > >>> But then what are the impacts of not matching the correct content-type ? > >> > >> I'm not sure I understand your question. Can you explain a scenario > >> in which something happens that causes someone to be sad with the > >> current requirements? > > > > Translating Adam: matching only some specific header field instances is > > intentional, as these are the ones we know misconfigured servers send. > > > > (right?) > > > > It wouldn't hurt if the spec would explain that choice, if it doesn't right > > now. > > I believe there's a ticket about adding that description. We've been > focusing more on the introduction/scope editing at the moment, but > we'll get to this point. > > More specifically, this is a workaround for an old (still widely > deployed) version of Apache that used that exact octet sequence to > identify resources for which it didn't know the MIME type. Apache has > since been changed to omit the Content-Type header in these cases, but > old Apache installs stay around for a very, very long time. Matching > this exact octet sequence is the minimum injury way of dealing with > this legacy content. OK I think I'm getting it now. I assumed that at step 2 of section 4, the matching text was constituting the official-type, which apparently it's not. Getting it wrong at this point causes a jump to the "unknown type" section. Maybe some names should be changed (eg: "content-type" instead of "official-type") to make it easier to read. Confusion is too easy this way and immediately makes code derived from a wrong interpretation to be buggy :-( Regards, Willy
- Re: [websec] Minor feedback on draft-ietf-websec-… Adam Barth
- Re: [websec] Minor feedback on draft-ietf-websec-… Adam Barth
- Re: [websec] Minor feedback on draft-ietf-websec-… Julian Reschke
- Re: [websec] Minor feedback on draft-ietf-websec-… Adam Barth
- [websec] Minor feedback on draft-ietf-websec-mime… Willy Tarreau
- Re: [websec] Minor feedback on draft-ietf-websec-… Willy Tarreau
- Re: [websec] Minor feedback on draft-ietf-websec-… Willy Tarreau
- Re: [websec] Minor feedback on draft-ietf-websec-… Willy Tarreau
- Re: [websec] Minor feedback on draft-ietf-websec-… Willy Tarreau
- Re: [websec] Minor feedback on draft-ietf-websec-… Ian Hickson