-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to handle (legal vis-à-vis HTTP) OPTIONS *
requests
#2117
Comments
My initial feeling is, at least cc @tenderlove do you have any opinion? |
In HTTP/1, the RFC sometimes refers to the request "target". However in HTTP/2, this is specified using the Therefore, I think we can assume the correct name is "path". Upon thinking about this, Therefore, based on the fact that HTTP/2 uses
@jeremyevans what do you think of updating the spec in that regard? |
IIRC |
In the HTTP RFCs, it's usually referred to as either "path" or "target". And in HTTP/2, it's always referred to as "path". Regarding historical context, the first usage can be traced back to the CERN httpd: https://github.com/hackervera/cern-httpd/blob/a709a028c11b486c58cad53a09658d30ba327694/Daemon/Implementation/HTScript.c#L584 It simply would have been impossible to call it The only other thing I'd add to this, is just because CERN's httpd server did it this way (canonicalisation), doesn't mean it's actually a good name, which is why we see the CGI RFC naming conventions diverging from the HTTP RFCs IMHO, and rightly so. |
RFC9112 specifies the behaviour we should follow.
Specifically:
I'll try to cut a PR so that |
There is one limitation I didn't consider - HTTP/2 does not support the authority form and instead uses the |
Originally posted by @ioquatix in #2114 (comment)
This is a thorny issue because while RFC9110 asserts (along with its predecessors dating all the way back to RFC2068) that an
OPTIONS *
request is a perfectly valid mechanism for obtaining global information about a Web server's capabilities. However, the CGI spec, RFC3875, upon which the Rack specification is based, does not seem to acknowledge this validity, and thus does not specify how it should be implemented. An informal poll of Web server implementations suggests that the prevailing behaviour is to put the*
ofOPTIONS *
into thePATH_INFO
variable, while leavingSCRIPT_NAME
untouched. What makes this issue thorny is that Rack applications (that are running withoutRack::Lint
) that do not check the request method could be in for a rude surprise if they try to use thePATH_INFO
of anOPTIONS *
under the assumption that it it is either empty or starts with a/
. A particularly obvious hazard is if the*
character gets treated as aglob(3)
pattern.As it stands for Rack, the method
Rack::Request#path
in particular does not account for the possibility thatPATH_INFO
may contain anything other than an empty string or one that starts with/
, per RFC3875 (again, it is my opinion that RFC3875 itself is in error). This situation propagates to other methods inRack::Request
, such as#fullpath
,#url
, and everything downstream from there.One solution (within
Rack::Request
at least) would be, in the call to#path
, to check if the request method wasOPTIONS
and thePATH_INFO
was*
and faking up a result in that case (e.g. using/
in lieu). That would mitigate the potential for harm at least for those applications usingRack::Request
. Those who do not would have to be warned to test the request method before dispatching any URI behaviour (a sensible practice in any case).I should also footnote that the
OPTIONS
method is not the only one where the request-URI is something other than that which starts with a/
; theCONNECT
method for one (which one could conceivably do something useful with in Rack using connection hijacking) and thePRI *
request for upgrading to HTTP/2 are other specimens, off the top of my head. The point here is it's not just the special case ofOPTIONS *
.The text was updated successfully, but these errors were encountered: