-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 3/13/20 07:48, Mark Thomas wrote: > On 13/03/2020 11:37, ma...@apache.org wrote: >> This is an automated email from the ASF dual-hosted git >> repository. >> >> markt pushed a commit to branch master in repository >> https://gitbox.apache.org/repos/asf/tomcat.git >> >> >> The following commit(s) were added to refs/heads/master by this >> push: new 07aabd5 Add a check that the URIEncoding is a superset >> of US-ASCII. 07aabd5 is described below >> >> commit 07aabd553de3af3744b16014765e32d2d276a140 Author: Mark >> Thomas <ma...@apache.org> AuthorDate: Fri Mar 13 11:36:54 2020 >> +0000 >> >> Add a check that the URIEncoding is a superset of US-ASCII. >> >> This is a requirement of RFC7230, section 3. > > This really needs to be back-ported. Some improvements in handing > of edge cases in URIs depends on it. > > The question is how strict do we want to be with older versions? > Options are: a) ignore, log a warning and use the default (what > Tomcat 10 now does) b) same as a) by default but with an option to > switch to c) c) log a warning but use the requested encoding > > Past experience suggests there will be users, somewhere, using > inappropriate encodings. And their sites won't work with any web browser that hasn't been seriously lobotomized. > RFC 7230 references potential security vulnerabilities of > inappropriate encodings (I'd expect request smuggling and/or header > injection). > > I'm thinking c) log a warning for a couple of releases then switch > to a). Possibly switching 8.5.x a couple of releases after we > switch 9.0.x and 7.0.x a couple of releases after 8.5.x (if at all > given the EOL announcement). I'd prefer to avoid b) and yet another > configuration option. I'm okay with (c) but I'd be just as fine with (a). No reason consider (b) IMO. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5r3nUACgkQHPApP6U8 pFicPxAAhfHx2C48IWwDeFDeoQa710hFfTC4H3NSU8VX01l3bVNsa/4yYpMjc59F 6LJxz5tzZaecnxhEH0TWbl/PQ9nYiXSmTCD4qVz08nwYbCp5mJpUyW79OyWG0jyT 6WtDSXblfKJVMdIkStn3HcM05bXlGvUc5mxMpNVPiBIZiwjcPgr22D15PyiVn0O5 NRPCWGnxj2SOeQHmDJuNDoXsWgyGHEKmgJAn+9Bv8F1s5ibAqh0ne5BlD16De2jT xbMb9CCuysk3Tk1bLfyTVbKKgxD3XDtnU4wxB/r482TkChH1yTX8lVME9fQfuXC+ 1Q/XZyMAGbtW5ayuNyGX0v01w3mxba3gG0DbAFfHewHJzM6fYMYoPBZXSHFAMaO5 vMYXAsFGC+s3R1xXP1LThrgoWl0wvW4cuhMUee1GGGpRZ15IoWMw4b4E7N2V0V4x KxxFm/8i3+A7FDm1zyWNnSMcCC51jujrARNG+XFFFk+E7FRUIAhn2vm4GkU3pcxu 1Ib0xMzIQiZJ1wwLWki5p7/bPL5YbJtN78RUVlw5PO/6bjR8YbmZ62dWkAziJZk4 IJCmLsEFWM9LuBFHc2ihs8PzlWOniJMLP58FTJ3sJSk4V3mIDjmvEUIkBMEsGYEI X5Inu9ibtoFrcaO0t4aX4V9ce2I+vTQchYdLHcPXb+xan/2I5zE= =kj4d -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org