httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: StrictURI in the wild [Was: Backporting HttpProtocolOptions survey]
Date Tue, 13 Sep 2016 18:13:47 GMT


On 09/13/2016 08:02 PM, William A Rowe Jr wrote:
> On Tue, Sep 13, 2016 at 10:55 AM, William A Rowe Jr <wrowe@rowe-clan.net <mailto:wrowe@rowe-clan.net>>
wrote:
> 
>     On Mon, Sep 12, 2016 at 9:19 PM, Eric Covener <covener@gmail.com <mailto:covener@gmail.com>>
wrote:
> 
> 
>         For others who might hit a maze of closed/duped bug reports this one
>         is active this year:
>         https://bugzilla.mozilla.org/show_bug.cgi?id=1064700 <https://bugzilla.mozilla.org/show_bug.cgi?id=1064700>
> 
> 
>     Makes for some disturbing reading... the amount of misinformation
>     is truly mind-boggling (especially if you chase down the other reports.)
>     Their aspirational goal of duplicating the mistakes of other the clients
>     speaks for the wider UA community... sigh. Firefox since 'uncorrected' 
>     their originally correct handling of '[' and ']' to be equally out-of-spec.
> 
>     But it leads to a very thorough survey of the queryargs behavior of the
>     major browser families which is worth reviewing;
>     https://bugzilla.mozilla.org/show_bug.cgi?id=1152455#c6 <https://bugzilla.mozilla.org/show_bug.cgi?id=1152455#c6>
> 
> 
> unwise/unsafe aside, review the rest of that comment 6 survey.
> But a short synopsys...
> 
> IE fails to encode any byte 7F-FF in the query args (particularly noxious
> with DEL). Retested and this remains true of IE 12 on Windows 10.
> So UTF-8 query arg text is transmitted in raw bytes on IE in violation
> of RFC3986, while all other browsers encode these.
> 
> All browsers use U+FFFD to map the value NUL.  In respect to other
> discussions about ctrl chars, things get interesting. TAB/LF/CR are
> simply eaten and not sent to the server, while other CTRLs in all IE 
> query args are been considered invalid, and the browser refuses to
> transmit these. Trailing CTRLs on all browsers are simply discarded.
> 
> Given Microsoft's lead here in ignoring or refusing all CTRLs for query
> args (except DEL which they mishandle anyways) it it starting to look 
> especially safe to reject all %XX control chars when operating in the
> StrictURI mode (and as a non-default in 2.2/2.4).  Thoughts?

Sounds sensible. Thanks for your hard work on that topic Bill.

Regards

RĂ¼diger

Mime
View raw message