From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Vivien Kraus <vivien@planete-kraus.eu>
Newsgroups: gmane.lisp.guile.devel
Subject: Re: [PATCH] Add resolve-relative-reference in (web uri), as in RFC
 3986 5.2.
Date: Wed, 04 Oct 2023 07:29:43 +0200
Message-ID: <5319ff8510e26e07bcd607be099cd34c8be12e58.camel@planete-kraus.eu>
References: <61e17faa8546f6ff79e9bbe1f25f0bf687d3dce1.1695667513.git.vivien@planete-kraus.eu>
 <c515b924-ea1c-43c5-712c-1afbc0fe0b0b@telenet.be>
 <211acc43219fff254c00d4d75b9907dac8bbbec4.camel@planete-kraus.eu>
 <17271bda-cfff-6995-c4a7-f8c39e108e9c@telenet.be>
 <b7d951ab-d220-a204-e43d-f79e2af64472@telenet.be>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="24392"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Evolution 3.46.4
To: Maxime Devos <maximedevos@telenet.be>, guile-devel@gnu.org
Original-X-From: guile-devel-bounces+guile-devel=m.gmane-mx.org@gnu.org Wed Oct 04 07:30:14 2023
Return-path: <guile-devel-bounces+guile-devel=m.gmane-mx.org@gnu.org>
Envelope-to: guile-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <guile-devel-bounces+guile-devel=m.gmane-mx.org@gnu.org>)
	id 1qnuSc-00064g-MX
	for guile-devel@m.gmane-mx.org; Wed, 04 Oct 2023 07:30:14 +0200
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guile-devel-bounces@gnu.org>)
	id 1qnuSJ-000788-CK; Wed, 04 Oct 2023 01:29:55 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <vivien@planete-kraus.eu>)
 id 1qnuSH-00077k-7j
 for guile-devel@gnu.org; Wed, 04 Oct 2023 01:29:53 -0400
Original-Received: from planete-kraus.eu ([89.234.140.182])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256)
 (Exim 4.90_1) (envelope-from <vivien@planete-kraus.eu>)
 id 1qnuSE-0004Mg-7f
 for guile-devel@gnu.org; Wed, 04 Oct 2023 01:29:52 -0400
Original-Received: from planete-kraus.eu (localhost.lan [127.0.0.1])
 by planete-kraus.eu (OpenSMTPD) with ESMTP id ae1f9fe9;
 Wed, 4 Oct 2023 05:29:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=planete-kraus.eu; h=
 message-id:subject:from:to:date:in-reply-to:references
 :content-type:content-transfer-encoding:mime-version; s=
 albinoniB; bh=/KupDqLchQiSq5ywSN02PMUItTw=; b=pMigQPfH3GxnzUfhqQ
 rpchBA03kJHT/iLPjNzbstssIl6UNEd9Al78kDt/z1osOXpTnkDBaR964swth4rt
 smHatMuUfDQDJhtTAfmp65FrrG2JnGCw64V5bb22bFz/YfRa6AvlbQ807ntG5Ka9
 lCN9+RYfjKPZCKNNPExXHorB5L69u6K4GpGVffNgi7281ijnnF401mlVKhcPj7pG
 iVLPRgn25BDLuHTlODzFkysqtMXjzkxLQ6ALub1Y3KK8H1ff+Pduc+WcS6ZbLGBr
 gpFXX0lvqUJDICaSsIBvA4/bzqcGaAchykUmXWjkNp0QwXU70ZejiPE3+NyuMFSk
 NZpA==
Original-Received: by planete-kraus.eu (OpenSMTPD) with ESMTPSA id 5b90b4a0
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Wed, 4 Oct 2023 05:29:46 +0000 (UTC)
In-Reply-To: <b7d951ab-d220-a204-e43d-f79e2af64472@telenet.be>
Received-SPF: pass client-ip=89.234.140.182;
 envelope-from=vivien@planete-kraus.eu; helo=planete-kraus.eu
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guile-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Developers list for Guile,
 the GNU extensibility library" <guile-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guile-devel>,
 <mailto:guile-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guile-devel>
List-Post: <mailto:guile-devel@gnu.org>
List-Help: <mailto:guile-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guile-devel>,
 <mailto:guile-devel-request@gnu.org?subject=subscribe>
Errors-To: guile-devel-bounces+guile-devel=m.gmane-mx.org@gnu.org
Original-Sender: guile-devel-bounces+guile-devel=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.lisp.guile.devel:22016
Archived-At: <http://permalink.gmane.org/gmane.lisp.guile.devel/22016>

Le mercredi 04 octobre 2023 =C3=A0 00:30 +0200, Maxime Devos a =C3=A9crit=
=C2=A0:
>=20
> > =C2=A0 =C2=A0=C2=A0=C2=A0 The best prevention is not allowing redirects=
 at all or only
> > =C2=A0 =C2=A0=C2=A0=C2=A0 allowing redirections that keep the hostname =
intact -- while
> > an
> > =C2=A0 =C2=A0=C2=A0=C2=A0 option for much software, it isn't an option =
for web
> > browsers.
>=20
> Partially scratch that -- restricting to =E2=80=98keeping hostname intact=
=E2=80=99 is
> insufficient, because there could be a DNS record that points
> 'website=20
> via http' to 127.0.0.1, and hence a redirect from https://website=C2=A0--=
>
> http://website=C2=A0can change IP addresses from global Internet to local=
=20
> computer.

But then, it is not a problem with resolve-relative-reference, and not
even a risk with redirections; if the DNS changes before you query the
page, then the secret page leaks anyway, no redirection needed.

We could add a warning in the "http-request" method documentation,
like:

Be warned that if you are hosting a private HTTP(s) server on your
system, a DNS change for a public target URI to your internal IP
address, or following a redirection from a public target URI to your
private server, may lead you to consider the response originating from
your private server as public.

Would that be a good summary?

Vivien