Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add some warnings about concatenation of URI parts #1017

Merged
merged 2 commits into from Jan 13, 2022
Merged

Add some warnings about concatenation of URI parts #1017

merged 2 commits into from Jan 13, 2022

Conversation

martinthomson
Copy link
Collaborator

It's going to happen anyway, but we can at least warn people.

This doesn't specify what validation is necessary in any detail (that is
somewhat involved), it only notes that simple concatenation is almost
certainly not secure.

Closes #1015.

@martinthomson martinthomson mentioned this pull request Jan 13, 2022
Closed
@martinthomson
Add some warnings about concatenation of URI parts
946b06b 
It's going to happen anyway, but we can at least warn people.

This doesn't specify what validation is necessary in any detail (that is
somewhat involved), it only notes that simple concatenation is almost
certainly not secure.

Closes httpwg#1015.
wtarreau
wtarreau reviewed Jan 13, 2022
View reviewed changes
draft-ietf-httpbis-http2bis.xml Outdated
<xref target="HttpHeaders"/> does not include specific rules for validation of
pseudo-header fields. If the values of these fields are used, additional validation is
necessary. This is particularly important where <tt>:scheme</tt>, <tt>:authority</tt>,
and <tt>:path</tt> are combined to form a single URI string (<xref target="RFC3986"/>).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe add "and/or when combined with :methodto rebuild a request line" since all implementations were caught with a space in that one.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Willy, I've added a sentence.

@wtarreau
Copy link
Contributor

OK that's fine by me. At least they're warned, and those who want to know more will easily find info on the subject, including these conversations. Thank you Martin!

Lukasa
Lukasa approved these changes Jan 13, 2022
View reviewed changes
Copy link
Collaborator

@Lukasa Lukasa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@Lukasa Lukasa merged commit 4ba6046 into httpwg:main Jan 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wtarreau wtarreau wtarreau left review comments

@Lukasa Lukasa Lukasa approved these changes

Assignees
No one assigned
Labels
editorial
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

pseudo-header stricter validation
3 participants
@martinthomson @wtarreau @Lukasa