From: Maxime Devos <maximedevos@telenet.be>
To: Ryan Raymond <rjraymond@oakland.edu>,
"guile-devel@gnu.org" <guile-devel@gnu.org>
Subject: RE: Custom HTTP methods in web module
Date: Sat, 23 Mar 2024 13:49:43 +0100 [thread overview]
Message-ID: <20240323134941.2Cph2C0075DtEJR06CphrM@albert.telenet-ops.be> (raw)
In-Reply-To: <CAGvJ-HSOn7npYqfMOb1shRMf5jJz5xeCxeFH_4iUZi9KmdMvPQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2165 bytes --]
While I agree it has advantages, it is also buggy.
From https://www.rfc-editor.org/rfc/rfc9110.html#name-methods:
* “the method token is case-sensitive”.
So, you need to remove ‘string-upcase’.
* Additional methods, outside the scope of this specification, have been specified for use in HTTP. All such methods ought to be registered within the "Hypertext Transfer Protocol (HTTP) Method Registry", as described in Section 16.1.
(Just a reminder, not a bug with the proposed new parse-http-method.)
If it’s something application-specific, I propose naming the method something like
“APP-METHOD” (where APP = name of APP, METHOD = WAIT / SUBSCRIBE / ...), to avoid potential conflicts.
* “method = token”
“token” is defined in https://www.rfc-editor.org/rfc/rfc9110.html#name-tokens.
So, there are some limitations on what strings are valid method names that you need to verify. For example, suppose that someone uses “GET\0sneaky” as header, and the Guile code places some limits (in terms of 403 forbidden) of what can be read. “GET\0sneaky” passes through because it’s not “GET”, “HEAD” etc.. Let’s say the actual response is constructed by C code, so Guile passes the method to the C-code as a 0-terminated string (as is conventional) and the C-code then interprets “GET\0sneaky” as “GET\0” and sends the response while it shouldn’t.
(I don’t know if this particular situation can happen because perhaps parse-http-method is always used in a context where the string is for some reason already a token, but that’s not something to rely upon)
* A recipient SHOULD parse a received protocol element defensively, with only marginal expectations that the element will conform to its ABNF grammar and fit within a reasonable buffer size.
(quoting this for the “conform to grammar” part, not the “buffer size part”)
(With regards to the first point) this paragraph SHOULD be ignored, this way leads to continued violations of the grammar and potential security problems (see example in previous point). Postel’s law is a mistake.
Best regards,
Maxime Devos
[-- Attachment #2: Type: text/html, Size: 8765 bytes --]
next prev parent reply other threads:[~2024-03-23 12:49 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-20 22:14 Custom HTTP methods in web module Ryan Raymond
2024-03-23 12:49 ` Maxime Devos [this message]
2024-03-23 18:50 ` Maxime Devos
[not found] ` <CAGvJ-HS5Laqd7=v=WCn4-2zUurXVZcKDFA2+MmNPO-cZO6iUJg@mail.gmail.com>
2024-03-24 13:57 ` Maxime Devos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/guile/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240323134941.2Cph2C0075DtEJR06CphrM@albert.telenet-ops.be \
--to=maximedevos@telenet.be \
--cc=guile-devel@gnu.org \
--cc=rjraymond@oakland.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).