Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DisplayString pick-your-own-escaping is an invitation for smuggling attacks #2575

Closed
bsdphk opened this issue Jun 26, 2023 · 1 comment · Fixed by #2594
Closed

DisplayString pick-your-own-escaping is an invitation for smuggling attacks #2575

bsdphk opened this issue Jun 26, 2023 · 1 comment · Fixed by #2594
Labels
header-structure

Comments

@bsdphk
Copy link
Contributor

bsdphk commented Jun 26, 2023
edited by reschke

As currently defined, the two serialized DisplayStrings

%"foo\"bla%22bar"

and

%"foo%22bla\"bar"

are semantically identical.

We should either use %-escapes or \-escapes, mixing them this way is asking for smuggling-attacks.
@mnot
Copy link
Member

mnot commented Jul 11, 2023

I think probably %-escapes; will work up a PR.

mnot added a commit that referenced this issue Jul 11, 2023
@mnot
All percent encoding
1b74c4e 
Fixes #2575.
@mnot mnot mentioned this issue Jul 11, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
header-structure
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

All percent encoding httpwg/http-extensions
2 participants
@mnot @bsdphk