[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Chicken-janitors] #1074: intarweb request parsing and Spiffy handli
From: |
Chicken Trac |
Subject: |
Re: [Chicken-janitors] #1074: intarweb request parsing and Spiffy handling of said requests is inconsistent in case of improper request line URIs |
Date: |
Sun, 24 Nov 2013 12:57:53 -0000 |
#1074: intarweb request parsing and Spiffy handling of said requests is
inconsistent in case of improper request line URIs
----------------------+-----------------------------------------------------
Reporter: RvdH | Owner: sjamaan
Type: defect | Status: new
Priority: major | Milestone: someday
Component: unknown | Version: 4.8.x
Resolution: | Keywords: bad-request connection
----------------------+-----------------------------------------------------
Comment(by sjamaan):
Replying to [comment:11 RvdH]:
> > However, there are much wider security and connection stability
concerns at stake in this particular instance.
>
> Sorry, but I can think of none.
That's irrelevant. An attacker will find them for you.
It's pretty obvious from the request log fragment Andy posted that there
are attacks being attempted "in the wild", exactly in this dusty corner of
the spec we're looking at. Disconnecting those assholes who are trying
these things is better than trying to serve them a friendly response
telling them what they were doing wrong so that they can tweak their code
to jump through this hoop getting deeper down into the system to exploit.
Like Andy said, it spreads the attack surface.
> > On balance, I think we should do the safest thing, rather than the
most elegant or most useful thing.
>
> It has nothing to do with safeness, elegance or usefulness.
I don't understand why you are so rigid about this. Elegance, usefulness
and especially safety can trump conformance with a spec if there are good
reasons. There are plenty of examples where specs got it wrong and are
blatantly insecure. That's for example why browsers have stopped applying
CSS styling to "visited" links. According to your logic, they should just
keep violating their users' privacy because compliance with a spec is more
important than safety.
> It has to do with conformance to a specification. For example, non-
conformance to a specification is exactly what went wrong with all the
different browsers trying to implement HTML.
Actually, part of the HTML mess is self-inflicted by browsers trying to be
so liberal in accepting cruft and trying to make the best of it. Because
different browsers massage cruft into something different, some sites
break in some browsers. It'd be much better if browsers refused to display
malformed HTML, but the spec says you must be tolerant of errors.
And that leads to fun things like deviations in attribute quotation and
HTML tree rearrangement, making XSS attacks easier to accomplish and
harder to filter out.
> If you claim to be a HTTP server, you implement the HTTP specification.
It is that simple.
If it were, there wouldn't be so many hacks and workarounds in Intarweb
for broken servers.
But thanks for hardening my resolve in this matter. I've updated intarweb
to refuse invalid URIs in the request line, so the above requests now
consistently cause the connection to be dropped.
--
Ticket URL: <http://bugs.call-cc.org/ticket/1074#comment:13>
Chicken Scheme <http://www.call-with-current-continuation.org/>
Chicken Scheme is a compiler for the Scheme programming language.
- Re: [Chicken-janitors] #1074: intarweb request parsing and Spiffy handling of said requests is invalid in case of improper request line URIs (was: uri-generic: percent-encodings in the authority section cause problems), (continued)
- Re: [Chicken-janitors] #1074: intarweb request parsing and Spiffy handling of said requests is invalid in case of improper request line URIs (was: uri-generic: percent-encodings in the authority section cause problems), Chicken Trac, 2013/11/23
- Re: [Chicken-janitors] #1074: intarweb request parsing and Spiffy handling of said requests is inconsistent in case of improper request line URIs (was: intarweb request parsing and Spiffy handling of said requests is invalid in case of improper request line URIs), Chicken Trac, 2013/11/23
- Re: [Chicken-janitors] #1074: intarweb request parsing and Spiffy handling of said requests is inconsistent in case of improper request line URIs, Chicken Trac, 2013/11/23
- Re: [Chicken-janitors] #1074: intarweb request parsing and Spiffy handling of said requests is inconsistent in case of improper request line URIs, Chicken Trac, 2013/11/23
- Re: [Chicken-janitors] #1074: intarweb request parsing and Spiffy handling of said requests is inconsistent in case of improper request line URIs, Chicken Trac, 2013/11/23
- Re: [Chicken-janitors] #1074: intarweb request parsing and Spiffy handling of said requests is inconsistent in case of improper request line URIs, Chicken Trac, 2013/11/23
- Re: [Chicken-janitors] #1074: intarweb request parsing and Spiffy handling of said requests is inconsistent in case of improper request line URIs, Chicken Trac, 2013/11/24
- Re: [Chicken-janitors] #1074: intarweb request parsing and Spiffy handling of said requests is inconsistent in case of improper request line URIs, Chicken Trac, 2013/11/24
- Re: [Chicken-janitors] #1074: intarweb request parsing and Spiffy handling of said requests is inconsistent in case of improper request line URIs, Chicken Trac, 2013/11/24
- Re: [Chicken-janitors] #1074: intarweb request parsing and Spiffy handling of said requests is inconsistent in case of improper request line URIs, Chicken Trac, 2013/11/24
- Re: [Chicken-janitors] #1074: intarweb request parsing and Spiffy handling of said requests is inconsistent in case of improper request line URIs,
Chicken Trac <=
- Re: [Chicken-janitors] #1074: intarweb request parsing and Spiffy handling of said requests is inconsistent in case of improper request line URIs, Chicken Trac, 2013/11/24
- Re: [Chicken-janitors] #1074: intarweb request parsing and Spiffy handling of said requests is inconsistent in case of improper request line URIs, Chicken Trac, 2013/11/24
- Re: [Chicken-janitors] #1074: intarweb request parsing and Spiffy handling of said requests is inconsistent in case of improper request line URIs, Chicken Trac, 2013/11/24
- Re: [Chicken-janitors] #1074: intarweb request parsing and Spiffy handling of said requests is inconsistent in case of improper request line URIs, Chicken Trac, 2013/11/24