Re: svn commit: r1927937 - in apr/apr/trunk: . test uri

Sun, 24 Aug 2025 03:19:35 -0700 


On 8/24/25 4:33 AM, Roy T. Fielding wrote:
> Note that allowing link local identifiers in apr means that all users of the 
> API are subject to the security considerations of
> RFC6874.
> 
> 4 <https://datatracker.ietf.org/doc/html/rfc6874#section-4>. Security 
> Considerations
> 
>    The security considerations from the URI syntax specification
>    [RFC3986 <https://datatracker.ietf.org/doc/html/rfc3986>] and the IPv6 
> Scoped Address Architecture specification
>    [RFC4007 <https://datatracker.ietf.org/doc/html/rfc4007>] apply.  In 
> particular, this URI format creates a specific
>    pathway by which a deceitful zone index might be communicated, as
>    mentioned in the final security consideration of the Scoped Address
>    Architecture specification.  It is emphasised that the format is
>    intended only for debugging purposes, but of course this intention
>    does not prevent misuse.
> 
>    To limit this risk, implementations MUST NOT allow use of this format
>    except for well-defined usages, such as sending to link-local
>    addresses under prefix fe80::/10.  At the time of writing, this is
>    the only well-defined usage known.
> 
>    An HTTP client, proxy, or other intermediary MUST remove any ZoneID
>    attached to an outgoing URI, as it has only local significance at the
>    sending host.
> 
> 
> Is this feature needed somewhere, or just being implemented because it is in 
> an RFC?

The proposal was in https://bz.apache.org/bugzilla/show_bug.cgi?id=69754 and it 
was seen as useful to support a possible
way forward for https://bz.apache.org/bugzilla/show_bug.cgi?id=69753.
The previous code when parsing an uri just left stuff untouched whether the 
zone was added just via a single '%' or via an
encoded '%' as '%25'. The same was true for the unparsing code which just left 
an '%' or '%25' inside the hostname as is.
Hence I currently don't see how things get worse now than they were before. Of 
course it can be debated if the previous code
(and now the current code) should have removed any scope id's at least if they 
were added to IPv6 addresses outside the prefix
fe80::/10.

Regards

RĂ¼diger























					Reply via email to