From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Maxime Devos <maximedevos@telenet.be>
Newsgroups: gmane.lisp.guile.devel
Subject: RE: Allowing extended HTTP methods
Date: Thu, 28 Mar 2024 17:17:49 +0100
Message-ID: <20240328171749.4GHn2C00Y4SDPei06GHosd@albert.telenet-ops.be>
References: <CAGvJ-HSO5EYWFjgemopELXG_Subno5d4hm6OqJ_x=vpWvPCG6A@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/alternative;
 boundary="_F6E2AAE8-D773-4091-8ECD-BE6C315C055A_"
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="19388"; mail-complaints-to="usenet@ciao.gmane.io"
To: Ryan Raymond <rjraymond@oakland.edu>, 
 "guile-devel@gnu.org" <guile-devel@gnu.org>
Original-X-From: guile-devel-bounces+guile-devel=m.gmane-mx.org@gnu.org Thu Mar 28 17:18:21 2024
Return-path: <guile-devel-bounces+guile-devel=m.gmane-mx.org@gnu.org>
Envelope-to: guile-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <guile-devel-bounces+guile-devel=m.gmane-mx.org@gnu.org>)
	id 1rpsSJ-0004kE-QW
	for guile-devel@m.gmane-mx.org; Thu, 28 Mar 2024 17:18:19 +0100
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guile-devel-bounces@gnu.org>)
	id 1rpsS0-0006BD-EW; Thu, 28 Mar 2024 12:18:00 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <maximedevos@telenet.be>)
 id 1rpsRx-0006B2-R9
 for guile-devel@gnu.org; Thu, 28 Mar 2024 12:17:58 -0400
Original-Received: from albert.telenet-ops.be ([2a02:1800:110:4::f00:1a])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <maximedevos@telenet.be>)
 id 1rpsRv-00071x-4B
 for guile-devel@gnu.org; Thu, 28 Mar 2024 12:17:57 -0400
Original-Received: from [IPv6:2a02:1808:2:f159:c48e:b31f:6650:1863]
 ([IPv6:2a02:1808:2:f159:c48e:b31f:6650:1863])
 by albert.telenet-ops.be with bizsmtp
 id 4GHn2C00Y4SDPei06GHosd; Thu, 28 Mar 2024 17:17:49 +0100
Importance: normal
X-Priority: 3
In-Reply-To: <CAGvJ-HSO5EYWFjgemopELXG_Subno5d4hm6OqJ_x=vpWvPCG6A@mail.gmail.com>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=telenet.be; s=r24;
 t=1711642669; bh=B2yiVw2eA8Jylykia0M9ZnRQ3/94guebSwwLcs19rD8=;
 h=To:From:Subject:Date:In-Reply-To:References;
 b=dNO7gq+yQstMRwKP4VgaLNJipCKSVaWOGUTPepQWxK4aY0BBsxwvjOcKBuYWpnMS9
 LwJykFS2CWiZfjoVuQIZ6nJULvF0TaKzJRHkkcpuSmaF9UyH0AEsVbQx5Ij5Fv5kLR
 5tvBiIJIWCBOTrPeXyP6gztr0mj9IgHW440RZVszhm9wSehhYyfjIBnC5Ppudtv9+Z
 MuuL1LnC7hMlIPhBkT2RRVM/s0juxLNd2m/OWhEI77eomF+NqzaBesByu37ASNX0N4
 jepjMBN+Uf6r9rKx4u/fYsNISgNhMli/cy6MQDNUUmdn2hKCFtyzE+pPS6h4xAawqL
 li+fgLSIdaEBg==
Received-SPF: pass client-ip=2a02:1800:110:4::f00:1a;
 envelope-from=maximedevos@telenet.be; helo=albert.telenet-ops.be
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guile-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Developers list for Guile,
 the GNU extensibility library" <guile-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guile-devel>,
 <mailto:guile-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guile-devel>
List-Post: <mailto:guile-devel@gnu.org>
List-Help: <mailto:guile-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guile-devel>,
 <mailto:guile-devel-request@gnu.org?subject=subscribe>
Errors-To: guile-devel-bounces+guile-devel=m.gmane-mx.org@gnu.org
Original-Sender: guile-devel-bounces+guile-devel=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.lisp.guile.devel:22377
Archived-At: <http://permalink.gmane.org/gmane.lisp.guile.devel/22377>

--_F6E2AAE8-D773-4091-8ECD-BE6C315C055A_
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

As mentioned previous e-mails, either:

=E2=80=A2 the docstring forgets to mention that it is the caller=E2=80=99s =
responsibility it is to check that =E2=80=98str=E2=80=99 is a valid method =
name (and you need to check/adjust the callers to do the check, of which I =
have seen n)
=E2=80=A2 or 'parse-http-method=E2=80=99 is missing a check that (string-le=
ngth str)>0 and the characters of str belong to tchar (defined in the RFC).

Please do not ignore reviews when making PRs =E2=80=93 disagreeing with som=
e review(s) and then mentioning in the commit message/cover letter/comments=
/... as appropriate why you deviate from them is one thing, just acting as =
if they didn=E2=80=99t happen is another.

In the previous discussion I have heard an argument for not doing the check=
, which basically amounts to flexibility for sake of flexibility in spite o=
f potential security problems and in spite of the third option (i.e. with b=
oth security and flexibility) of not allowing it by default and instead add=
ing an argument somewhere to add a custom checker/list of extra allowed met=
hods/... that defaults to what RFC specifies, but I haven=E2=80=99t heard a=
n argument for not properly documenting that what parse-http-method parses =
aren=E2=80=99t HTTP methods so the callers may need to do extra validation.=
=20

Also, the commit message needs to be changed to changelog format.

Also worth checking if the Texinfo documentation mentions parse-http-method=
, and if so, adjust it.

Best regards,
Maxime Devos.

--_F6E2AAE8-D773-4091-8ECD-BE6C315C055A_
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:sc=
hemas-microsoft-com:office:word" xmlns:m=3D"http://schemas.microsoft.com/of=
fice/2004/12/omml" xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta ht=
tp-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8"><meta name=
=3DGenerator content=3D"Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:Wingdings;
	panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
	{mso-style-priority:34;
	margin-top:0cm;
	margin-right:0cm;
	margin-bottom:0cm;
	margin-left:36.0pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
.MsoChpDefault
	{mso-style-type:export-only;}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
	{page:WordSection1;}
/* List Definitions */
@list l0
	{mso-list-id:1736048691;
	mso-list-type:hybrid;
	mso-list-template-ids:-1526690326 -1 134807555 134807557 134807553 1348075=
55 134807557 134807553 134807555 134807557;}
@list l0:level1
	{mso-level-start-at:0;
	mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	margin-left:23.0pt;
	text-indent:-18.0pt;
	font-family:Symbol;
	mso-fareast-font-family:"Times New Roman";
	mso-bidi-font-family:"Times New Roman";}
@list l0:level2
	{mso-level-number-format:bullet;
	mso-level-text:o;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	margin-left:59.0pt;
	text-indent:-18.0pt;
	font-family:"Courier New";}
@list l0:level3
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	margin-left:95.0pt;
	text-indent:-18.0pt;
	font-family:Wingdings;}
@list l0:level4
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	margin-left:131.0pt;
	text-indent:-18.0pt;
	font-family:Symbol;}
@list l0:level5
	{mso-level-number-format:bullet;
	mso-level-text:o;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	margin-left:167.0pt;
	text-indent:-18.0pt;
	font-family:"Courier New";}
@list l0:level6
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	margin-left:203.0pt;
	text-indent:-18.0pt;
	font-family:Wingdings;}
@list l0:level7
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	margin-left:239.0pt;
	text-indent:-18.0pt;
	font-family:Symbol;}
@list l0:level8
	{mso-level-number-format:bullet;
	mso-level-text:o;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	margin-left:275.0pt;
	text-indent:-18.0pt;
	font-family:"Courier New";}
@list l0:level9
	{mso-level-number-format:bullet;
	mso-level-text:\F0A7;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	margin-left:311.0pt;
	text-indent:-18.0pt;
	font-family:Wingdings;}
ol
	{margin-bottom:0cm;}
ul
	{margin-bottom:0cm;}
--></style></head><body lang=3Den-BE style=3D'word-wrap:break-word'><div cl=
ass=3DWordSection1><p class=3DMsoNormal><span lang=3DEN-US>As mentioned pre=
vious e-mails, either:<o:p></o:p></span></p><p class=3DMsoNormal><span lang=
=3DEN-US><o:p>&nbsp;</o:p></span></p><ul style=3D'margin-top:0cm' type=3Ddi=
sc><li class=3DMsoListParagraph style=3D'margin-left:-13.0pt;mso-list:l0 le=
vel1 lfo1'><span lang=3DEN-US>the docstring forgets to mention that it is t=
he caller=E2=80=99s responsibility it is to check that =E2=80=98str=E2=80=
=99 is a valid method name (and you need to check/adjust the callers to do =
the check, of which I have seen n)<o:p></o:p></span></li><li class=3DMsoLis=
tParagraph style=3D'margin-left:-13.0pt;mso-list:l0 level1 lfo1'><span lang=
=3DEN-US>or 'parse-http-method=E2=80=99 is missing a check that (string-len=
gth str)&gt;0 and the characters of str belong to tchar (defined in the RFC=
).</span><span lang=3Den-BE><o:p></o:p></span></li></ul><p class=3DMsoNorma=
l><span lang=3Den-BE><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><span=
 lang=3Den-BE>Please do not ignore reviews when making PRs =E2=80=93 disagr=
eeing with some review(s) and then mentioning in the commit message/cover l=
etter/comments/... as appropriate why you deviate from them is one thing, j=
ust acting as if they didn=E2=80=99t happen is another.<o:p></o:p></span></=
p><p class=3DMsoNormal><span lang=3Den-BE><o:p>&nbsp;</o:p></span></p><p cl=
ass=3DMsoNormal><span lang=3Den-BE>In the previous discussion I have heard =
an argument for not doing the check, which basically amounts to flexibility=
 for sake of flexibility in spite of potential security problems and in spi=
te of the third option (i.e. with both security and flexibility) of not all=
owing it by default and instead adding an argument somewhere to add a custo=
m checker/list of extra allowed methods/... that defaults to what RFC speci=
fies, but I haven=E2=80=99t heard an argument for not properly documenting =
that what parse-http-method parses aren=E2=80=99t HTTP methods so the calle=
rs may need to do extra validation. <o:p></o:p></span></p><p class=3DMsoNor=
mal><span lang=3Den-BE><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><sp=
an lang=3Den-BE>Also, the commit message needs to be changed to changelog f=
ormat.<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3Den-BE><o:p>&n=
bsp;</o:p></span></p><p class=3DMsoNormal><span lang=3Den-BE>Also worth che=
cking if the Texinfo documentation mentions parse-http-method, and if so, a=
djust it.<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3Den-BE><o:p=
>&nbsp;</o:p></span></p><p class=3DMsoNormal><span lang=3Den-BE>Best regard=
s,<o:p></o:p></span></p><p class=3DMsoNormal><span lang=3Den-BE>Maxime Devo=
s.</span><span lang=3Den-BE><o:p></o:p></span></p></div></body></html>=

--_F6E2AAE8-D773-4091-8ECD-BE6C315C055A_--