Re: Sections 3.3.1 and 5.1

Ben Laurie (ben@gonzo.ben.algroup.co.uk)
Fri, 31 May 1996 21:38:07 +0100 (BST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jeffrey Mogul: "Re: Proposed change to 14.6 (Age)"
Previous message: Ben Laurie: "Re: Sections 3.3.1 and 5.1"
In reply to: Paul Leach: "RE: Sections 3.3.1 and 5.1"

Paul Leach wrote:
> 
> 
> 
> >----------
> >From: 	Ben Laurie[SMTP:ben@algroup.co.uk]
> >Subject: 	Sections 3.3.1 and 5.1
> >
> >Section 5.1
> >
> >'The origin server MUST decode the Request-URI in order to properly 
> >interpret the request.  In requests that they forward, proxies MUST NOT
> >
> >rewrite the "abs_path" part of a Request-URI in any way except as noted
> >
> >above to replace a null abs_path with "*". Invalid Request-URIs SHOULD 
> >be responded to with an appropriate status code. Proxies MAY transform 
> >the Request-URI for internal processing purposes, but MUST NOT send
> >such 
> >a transformed Request-URI  in forwarded requests. 
> >Note: This rule ensures that the form of Request-URI is well specified,
> >
> >to enable future extensions without fear that they will break in the 
> >face of some rewritings. One consequence of rewriting the Request-URI
> >is 
> >that integrity or authentication checks by the server may fail. 
> >Implementers should be aware that some pre-HTTP/1.1 proxies have been 
> >known to rewrite the Request-URI.'
> >
> >Speaking as one of those responsible for maintaining the Apache proxy 
> >module, I wonder about the intent of this paragraph - if a proxy is 
> >permitted to rewrite, presumably to make such transformations as a/./b 
> >-> a/b and a/b/../c -> a/c, then it hardly seems fair to allow the 
> >server to interpret them in a different way. Is this what is intended
> >or 
> >are there other kinds of rewriting which it seeks to forbid?
> 
> I don't understand your question -- proxies are NOT permitted to rewrite
> in any way, so the assumption of your "if" sentence is false. And the
> proximate reason is so that inclusion of URLs in authentication
> calculations isn't foiled by proxies rewriting the URLs (as is stated in
> the note at the end of the section you quote).

Proxies are permitted to rewrite internally. I understand the reasoning but
it seems to me that this should be a restrictions on URLs (that is, that they
are always in their canonical form) rather than on proxies.

Cheers,

Ben.

> 
> Paul

-- 
Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant and    Fax:   +44 (181) 994 6472
Technical Director          Email: ben@algroup.co.uk
A.L. Digital Ltd,           URL: http://www.algroup.co.uk
London, England.

Next message: Jeffrey Mogul: "Re: Proposed change to 14.6 (Age)"
Previous message: Ben Laurie: "Re: Sections 3.3.1 and 5.1"
In reply to: Paul Leach: "RE: Sections 3.3.1 and 5.1"