Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id B0E49200B5B for ; Fri, 5 Aug 2016 22:43:57 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id AF8FE160A64; Fri, 5 Aug 2016 20:43:57 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id D1C48160A8E for ; Fri, 5 Aug 2016 22:43:56 +0200 (CEST) Received: (qmail 50711 invoked by uid 500); 5 Aug 2016 20:43:55 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 50700 invoked by uid 99); 5 Aug 2016 20:43:55 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 05 Aug 2016 20:43:55 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 17092C034D for ; Fri, 5 Aug 2016 20:43:55 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.298 X-Spam-Level: * X-Spam-Status: No, score=1.298 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=rowe-clan-net.20150623.gappssmtp.com Received: from mx2-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id iEsQky9jBIr7 for ; Fri, 5 Aug 2016 20:43:53 +0000 (UTC) Received: from mail-io0-f181.google.com (mail-io0-f181.google.com [209.85.223.181]) by mx2-lw-eu.apache.org (ASF Mail Server at mx2-lw-eu.apache.org) with ESMTPS id 59CAA5F4E3 for ; Fri, 5 Aug 2016 20:43:52 +0000 (UTC) Received: by mail-io0-f181.google.com with SMTP id m101so310119598ioi.2 for ; Fri, 05 Aug 2016 13:43:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rowe-clan-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=o7SFgthDFSDDmuFSXFXSPOGGLDa6giMmIOn7Gav+8Yo=; b=rpnuN4u+DQ9kOrSO0bQ7aOXdhnjmSWHSPpBC+dZFhcirrK/4tPAPu3sTkokS26o87Y oPDH58op9/ChvS36CX/zKCxGiHZ54PUHofHqu3qkWDI4w1SbeMaxH2miPCRcFyx+xw6y N4ByyuNfyLEHNHNJB1lsgVJ4v/j0+Pmdk6c0lfoLZ0j8RN+/POm2dQz8p5g084VIe5Wu KnGdZ1Ap2rHiBlIcmNIXM4RwjJh69KNh2b+JBqhv05lYAMXPCbfAqXIO6vipAzGdlOWW iags8xJbYNtrZdiraUL+nGB6WKajbaeXjjwoLYeIVqJ0o2cIxEyFwe2uINdjOSKsnxAb NYUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=o7SFgthDFSDDmuFSXFXSPOGGLDa6giMmIOn7Gav+8Yo=; b=B06HMsEjYxN+7G+bculiZgEzz3dgMzwdtF351eyQQJTN663t3C3f+V76rHUQFZ9GMA PaRPmDN17VxJOfjQ47IxWTYPiUlEvmQej9TE6jq+s64/dtUkZnI+s2Nb45sPKmO3fB8N Kz8EqcS6LLfvN/DQDYmmbMbN659Qa6akWazkzE+2VmlCdxq8te3BWAvfGsAXnc5j/p9V F4zKnscwJ+BPkrJGHOEXNm+kBMCx51lJ6Ei4IYt5PL9XmhibSGAa4IescpR8cbYOSk9c oqsDLXS+4MtLerWAbgO9m0lBg7h3PCoR3jbK7oANtIyAbZd3Y9CKP9YdAu5EHLZRDJnt X8yA== X-Gm-Message-State: AEkoouveZ1Dg3t5r7E4sGJ0+YQ+xGCW3C0EvxnikPwagnVsazVyMNCH9CWhsxO3FZxNfumfyAWbqTbsgKE4WbZtf X-Received: by 10.107.8.94 with SMTP id 91mr79284820ioi.86.1470429825316; Fri, 05 Aug 2016 13:43:45 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.6.85 with HTTP; Fri, 5 Aug 2016 13:43:44 -0700 (PDT) Received: by 10.107.6.85 with HTTP; Fri, 5 Aug 2016 13:43:44 -0700 (PDT) In-Reply-To: References: <20160729162414.B753A3A0056@svn01-us-west.apache.org> <2e6b3df8-4aae-76d0-c458-96a0e9eda398@gmail.com> <566AF3BB-F41F-4680-8B55-4018B2295D08@gbiv.com> From: William A Rowe Jr Date: Fri, 5 Aug 2016 15:43:44 -0500 Message-ID: Subject: Re: svn commit: r1754548 - /httpd/httpd/trunk/server/protocol.c To: httpd Content-Type: multipart/alternative; boundary=001a113f3a8867d96e0539591f93 archived-at: Fri, 05 Aug 2016 20:43:57 -0000 --001a113f3a8867d96e0539591f93 Content-Type: text/plain; charset=UTF-8 On Aug 4, 2016 3:02 PM, "Roy T. Fielding" wrote: >> >> On Aug 3, 2016, at 2:28 PM, William A Rowe Jr wrote: > >> If not, then stripping trailing whitespace from the line prior to obs-fold and >> eating all leading whitespace on the obs-fold line will result in a single SP >> character, which should be just fine unless spaces were significant within >> a quoted value. The only way for the client to preserve such significant >> spaces would be to place them after the opening quote before the obs-fold. > > obs-fold is not allowed inside quoted text, so we need not worry about > messing with such a construct. Roy especially, and others familiar with the explicit purpose and meaning of the spec... We do not guard against an obs-fold occurring within a field-vchar segment, our unfolding occurs beforehand... field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ] From a security and integrity perspective I can find no reason to guard against an obs-fold within a quoted string, for example. Whitespace compression to a single SP occurs to that token sent by an inept client still using obs-fold, but this appears to have no negative side-effects. Our strict mode parsing still permits simple "\n" line termination rather than the CRLF as defined by spec. Here again, I can't find a security or integrity issue. In neither case do we send bad data as request headers to a backend or bad data in a response. Is there any justification for changing either of these permissive behaviors? --001a113f3a8867d96e0539591f93 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On Aug 4, 2016 3:02 PM, "Roy T. Fielding" <fielding@gbiv.com> wrote:
>>
>> On Aug 3, 2016, at 2:28 PM, William A Rowe Jr <wrowe@rowe-clan.net> wrote:
>
>> If not, then stripping trailing whitespace from the line prior to = obs-fold and
>> eating all leading whitespace on the obs-fold line will result in = a single SP
>> character, which should be just fine unless spaces were significan= t within
>> a quoted value. The only way for the client to preserve such signi= ficant=C2=A0
>> spaces would be to place them after the opening quote before the o= bs-fold.
>
> obs-fold is not allowed inside quoted text, so we need not worry about=
> messing with such a construct.

Roy especially, and others familiar with the explicit purpos= e and meaning of the spec...

We do not guard against an obs-fold occurring within a field= -vchar segment, our unfolding occurs beforehand...

field-content =3D field-vchar [ 1*( SP / HTAB ) field-vchar = ]

From a security and integrity perspective I can find no reas= on to guard against an obs-fold within a quoted string, for example. Whites= pace compression to a single SP occurs to that token sent by an inept clien= t still using obs-fold, but this appears to have no negative side-effects.<= /p>

Our strict mode parsing still permits simple "\n" = line termination rather than the CRLF as defined by spec. Here again, I can= 't find a security or integrity issue.

In neither case do we send bad data as request headers to a = backend or bad data in a response.

Is there any justification for changing either of these perm= issive behaviors?

--001a113f3a8867d96e0539591f93--