From mboxrd@z Thu Jan  1 00:00:00 1970
Delivered-To: chneukirchen@gmail.com
Received: by 10.142.191.1 with SMTP id o1cs66614wff; Sun, 13 Dec 2009
 12:45:37 -0800 (PST)
Received: from mr.google.com ([10.150.252.27]) by 10.150.252.27 with SMTP id
 z27mr1348274ybh.85.1260737137456 (num_hops = 1); Sun, 13 Dec 2009 12:45:37
 -0800 (PST)
Received: by 10.150.252.27 with SMTP id z27mr178103ybh.85.1260737136081; Sun,
 13 Dec 2009 12:45:36 -0800 (PST)
X-BeenThere: rack-devel@googlegroups.com
Received: by 10.150.112.31 with SMTP id k31ls2175175ybc.0.p; Sun, 13 Dec 2009
  12:45:34 -0800 (PST)
Received: by 10.150.77.41 with SMTP id z41mr4814933yba.6.1260737134630; Sun,
 13 Dec 2009 12:45:34 -0800 (PST)
Received: by 10.91.54.15 with SMTP id g15mr4591531agk.12.1260734693499; Sun,
 13 Dec 2009 12:04:53 -0800 (PST)
Received: by 10.91.54.15 with SMTP id g15mr4591530agk.12.1260734693471; Sun,
 13 Dec 2009 12:04:53 -0800 (PST)
Return-Path: <macournoyer@gmail.com>
Received: from mail-yw0-f166.google.com (mail-yw0-f166.google.com
 [209.85.211.166]) by gmr-mx.google.com with ESMTP id
 18si480284gxk.11.2009.12.13.12.04.53; Sun, 13 Dec 2009 12:04:53 -0800 (PST)
Received-SPF: pass (google.com: domain of macournoyer@gmail.com designates
 209.85.211.166 as permitted sender) client-ip=209.85.211.166;
Received: by mail-yw0-f166.google.com with SMTP id 38so5821385ywh.9 for
 <rack-devel@googlegroups.com>; Sun, 13 Dec 2009 12:04:53 -0800 (PST)
MIME-Version: 1.0
Received: by 10.101.22.19 with SMTP id z19mr374941ani.57.1260734693419; Sun, 
 13 Dec 2009 12:04:53 -0800 (PST)
Date: Sun, 13 Dec 2009 12:04:53 -0800 (PST)
In-Reply-To: <20091210223037.GB22867@dcvr.yhbt.net>
X-IP: 24.37.119.47
References: <20091210223037.GB22867@dcvr.yhbt.net>
User-Agent: G2/1.0
X-HTTP-UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) 
 AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4
 Safari/531.21.10,gzip(gfe),gzip(gfe)
Message-ID:
 <27dd9d1d-9cba-4a0a-b74d-0f33a8c04df2@d21g2000yqn.googlegroups.com>
Subject: Re: PATH_INFO spec (with regard to ";")
From: macournoyer <macournoyer@gmail.com>
To: Rack Development <rack-devel@googlegroups.com>
Reply-To: rack-devel@googlegroups.com
Precedence: list
Mailing-list: list rack-devel@googlegroups.com; contact
 rack-devel+owners@googlegroups.com
List-ID: <rack-devel.googlegroups.com>
List-Post: <http://groups.google.com/group/rack-devel/post?hl=>, 
 <mailto:rack-devel@googlegroups.com>
List-Help: <http://groups.google.com/support/?hl=>,
 <mailto:rack-devel+help@googlegroups.com>
List-Archive: <http://groups.google.com/group/rack-devel?hl=>
X-Thread-Url: http://groups.google.com/group/rack-devel/t/5984cfeef920f24d
X-Message-Url: http://groups.google.com/group/rack-devel/msg/e22eb4a645257d42
Sender: rack-devel@googlegroups.com
List-Unsubscribe: <http://groups.google.com/group/rack-devel/subscribe?hl=>, 
 <mailto:rack-devel+unsubscribe@googlegroups.com>
List-Subscribe: <http://groups.google.com/group/rack-devel/subscribe?hl=>, 
 <mailto:rack-devel+subscribe@googlegroups.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

"not completely kosher" as in security issue? Should I revert this
change in Thin?

On Dec 10, 5:30=A0pm, Eric Wong <normalper...@yhbt.net> wrote:
> Hi all,
>
> I've been notified privately that my changes for PATH_INFO in Unicorn
> 0.95.2 (which also got into Thin) may not be completely kosher, but I'm
> also asking for the Rack team to clarify PATH_INFO for HTTP parser
> implementers.
>
> Upon further reading (and also of the
> related-but-not-necessarily-true-for-Rack RFC 3875 section 4.1.5),
> I came across this:
>
> =A0 =A0Unlike a URI path, the PATH_INFO is not URL-encoded, and cannot
> =A0 =A0contain path-segment parameters.
>
> First off, Rack already directly contradicts the "the PATH_INFO is not
> URL-encoded" part, so Unicorn conforms to Rack specs over RFC 3875.
>
> *But* Rack does not address the "cannot contain path-segment parameters"
> part at all. =A0So I (and probably a few other people) would like
> clarification on how to handle PATH_INFO when it comes to ";"
>
> Things to keep in mind:
>
> =A0 * URI.parse keeps ";" in URI::HTTP#path
> =A0 =A0 This point may not be relevant to us, as PATH_INFO and
> =A0 =A0 URI::HTTP#path should not necessarily be treated as equals
>
> =A0 * WEBrick keeps ";" in PATH_INFO
>
> =A0 * PEP333 (which Rack is based on) does not go into this level of
> =A0 =A0 detail regarding PATH_INFO and path segments
>
> =A0 * PATH_INFO in Rack appears to be based on CGI/1.1 (RFC 3875)
>
> =A0 * Again, Rack already contradicts the URL encoding rules of RFC 3875
> =A0 =A0 for PATH_INFO, so there is precedence for Rack contradicting more
> =A0 =A0 of RFC 3875...
>
> =A0 * Rack::Request#full_path only looks at PATH_INFO + QUERY_STRING,
> =A0 =A0 this means many Rack applications may never see the ";" parts
> =A0 =A0 if Thin and Unicorn revert to old behavior.
>
> =A0 * Rack does not require REQUEST_URI, this is an extension Unicorn
> =A0 =A0 and Thin both carried over from Mongrel.
>
> =A0 * None of the official rack/rack-contrib middleware use REQUEST_URI
>
> Of course, in the grand scheme of things, hardly anybody uses ";" in
> paths. =A0Yay for rare corner cases making our lives difficult.
>
> --
> Eric Wong