httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: StrictURI in the wild [Was: Backporting HttpProtocolOptions survey]
Date Tue, 13 Sep 2016 18:02:13 GMT
On Tue, Sep 13, 2016 at 10:55 AM, William A Rowe Jr <wrowe@rowe-clan.net>
wrote:

> On Mon, Sep 12, 2016 at 9:19 PM, Eric Covener <covener@gmail.com> wrote:
>
>>
>> For others who might hit a maze of closed/duped bug reports this one
>> is active this year:
>> https://bugzilla.mozilla.org/show_bug.cgi?id=1064700
>>
>
> Makes for some disturbing reading... the amount of misinformation
> is truly mind-boggling (especially if you chase down the other reports.)
> Their aspirational goal of duplicating the mistakes of other the clients
> speaks for the wider UA community... sigh. Firefox since 'uncorrected'
> their originally correct handling of '[' and ']' to be equally out-of-spec.
>
> But it leads to a very thorough survey of the queryargs behavior of the
> major browser families which is worth reviewing;
> https://bugzilla.mozilla.org/show_bug.cgi?id=1152455#c6
>

unwise/unsafe aside, review the rest of that comment 6 survey.
But a short synopsys...

IE fails to encode any byte 7F-FF in the query args (particularly noxious
with DEL). Retested and this remains true of IE 12 on Windows 10.
So UTF-8 query arg text is transmitted in raw bytes on IE in violation
of RFC3986, while all other browsers encode these.

All browsers use U+FFFD to map the value NUL.  In respect to other
discussions about ctrl chars, things get interesting. TAB/LF/CR are
simply eaten and not sent to the server, while other CTRLs in all IE
query args are been considered invalid, and the browser refuses to
transmit these. Trailing CTRLs on all browsers are simply discarded.

Given Microsoft's lead here in ignoring or refusing all CTRLs for query
args (except DEL which they mishandle anyways) it it starting to look
especially safe to reject all %XX control chars when operating in the
StrictURI mode (and as a non-default in 2.2/2.4).  Thoughts?

Mime
View raw message