Kerry, On 2011-11-14 18:41, Kerry Lynn wrote: > Greetings, > > I've noticed that a "bug" has re-appeared in Firefox: > https://bugzilla.mozilla.org/show_bug.cgi?id=700999 > > In older versions of Firefox (e.g. 3.6.23) it is possible to enter URIs of > the form http://[fe80::206:98ff:fe00:232%tap0] in the > location bar and get a positive result. This capability is quite handy in > simple testing scenarios and obviously requires the client and server > to be on a common link (so I don't necessarily see how it creates a > security risk.) > > According to a note attached to the bug, the regression occurred as a > result of fixing a security bug: > https://bugzilla.mozilla.org/show_bug.cgi?id=<https://bugzilla.mozilla.org/show_bug.cgi?id=700999> > 504014 <https://bugzilla.mozilla.org/show_bug.cgi?id=504014> > I don't seem to have access to that bug, so I don't know the complete > rationale. However, the note on 700999 says the title is "Enforce RFC > 3986 syntax for IPv6 literals". It goes on to say that RFC 3986 > "disallows" interface specifiers (a.k.a. zone indices: > http://en.wikipedia.org/wiki/IPv6_address#Link-local_addresses_and_zone_indices > ). > > I don't see how a link-local address can be used in this context w/o > using a zone index.
As soon as there's more than one interface, there is an issue. > Granted, RFC 3986 doesn't cover this case but > it also doesn't prohibit it. Yes it does, because the ABNF for IPv6address is for an address, not a scoped address. A scoped address would not conform to the ABNF, so that amounts to a prohibition. > This leads me to suspect it was an oversight, This part of RFC 3986 derives from RFC 2732 (which had broken ABNF, and didn't allow for a scoped address, because they didn't exist then). > so I'm wondering if RFC 3986 needs to be updated to cover it link- > local IPv6 literals? If so, is there a reference that could be used to > derive the necessary ABNF? I don't believe so. The ABNF has never been extended to cover RFC 4007 as far as I know. Getting RFC 3986 updated would be reasonably complicated I suspect. It involves a chat with the W3C people for a start. Brian -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
