chicken-janitors
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Chicken-janitors] #1074: intarweb request parsing and Spiffy handli

From: Chicken Trac
Subject: Re: [Chicken-janitors] #1074: intarweb request parsing and Spiffy handling of said requests is inconsistent in case of improper request line URIs
Date: Sun, 24 Nov 2013 12:57:53 -0000 
#1074: intarweb request parsing and  Spiffy handling of said requests is
inconsistent in case of improper request line URIs
----------------------+-----------------------------------------------------
  Reporter:  RvdH     |       Owner:  sjamaan               
      Type:  defect   |      Status:  new                   
  Priority:  major    |   Milestone:  someday               
 Component:  unknown  |     Version:  4.8.x                 
Resolution:           |    Keywords:  bad-request connection
----------------------+-----------------------------------------------------

Comment(by sjamaan):

 Replying to [comment:11 RvdH]:
 > > However, there are much wider security and connection stability
 concerns at stake in this particular instance.
 >
 > Sorry, but I can think of none.

 That's irrelevant. An attacker will find them for you.

 It's pretty obvious from the request log fragment Andy posted that there
 are attacks being attempted "in the wild", exactly in this dusty corner of
 the spec we're looking at. Disconnecting those assholes who are trying
 these things is better than trying to serve them a friendly response
 telling them what they were doing wrong so that they can tweak their code
 to jump through this hoop getting deeper down into the system to exploit.
 Like Andy said, it spreads the attack surface.

 > > On balance, I think we should do the safest thing, rather than the
 most elegant or most useful thing.
 >
 > It has nothing to do with safeness, elegance or usefulness.

 I don't understand why you are so rigid about this.  Elegance, usefulness
 and especially safety can trump conformance with a spec if there are good
 reasons. There are plenty of examples where specs got it wrong and are
 blatantly insecure.  That's for example why browsers have stopped applying
 CSS styling to "visited" links. According to your logic, they should just
 keep violating their users' privacy because compliance with a spec is more
 important than safety.

 > It has to do with conformance to a specification. For example, non-
 conformance to a specification is exactly what went wrong with all the
 different browsers trying to implement HTML.

 Actually, part of the HTML mess is self-inflicted by browsers trying to be
 so liberal in accepting cruft and trying to make the best of it. Because
 different browsers massage cruft into something different, some sites
 break in some browsers. It'd be much better if browsers refused to display
 malformed HTML, but the spec says you must be tolerant of errors.

 And that leads to fun things like deviations in attribute quotation and
 HTML tree rearrangement, making XSS attacks easier to accomplish and
 harder to filter out.

 > If you claim to be a HTTP server, you implement the HTTP specification.
 It is that simple.

 If it were, there wouldn't be so many hacks and workarounds in Intarweb
 for broken servers.

 But thanks for hardening my resolve in this matter. I've updated intarweb
 to refuse invalid URIs in the request line, so the above requests now
 consistently cause the connection to be dropped.

-- 
Ticket URL: <http://bugs.call-cc.org/ticket/1074#comment:13>
Chicken Scheme <http://www.call-with-current-continuation.org/>
Chicken Scheme is a compiler for the Scheme programming language.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]