On 8/24/2011 6:43 PM, Roy T. Fielding wrote:
> On Aug 24, 2011, at 4:39 PM, William A. Rowe Jr. wrote:
>
>> On 8/24/2011 4:54 PM, Roy T. Fielding wrote:
>>> On Aug 24, 2011, at 1:56 PM, Roy T. Fielding wrote:
>>>> To be clear, I am more than willing to rewrite the part on
>>>> Ranges such that the above is explicitly forbidden in HTTP.
>>>> I am not sure what the WG would agree to, but I am quite certain
>>>> that part of the reason we have an Apache server is to protect
>>>> the Internet from idiotic ideas like the above.
>>>
>>> http://trac.tools.ietf.org/wg/httpbis/trac/ticket/311
>>
>> Excellent, thanks. Just curious, isn't this clarification outside of
>> the remit of 2616bis?
>
> Security repairs are never out of scope.
Ack.
So, I suspect the best we can do today, 4 days later, is to implement Roy's
draft [link] as the POC/reference implementation and work with the rest of
the http server community to ensure it is the right solution.
I suggest we publish this as a patch, /not/ as a release, until we find just
a bit more buy-in from the other implementors.
Bill
> On Aug 24, 2011, at 4:39 PM, William A. Rowe Jr. wrote:
>
>> On 8/24/2011 4:54 PM, Roy T. Fielding wrote:
>>> On Aug 24, 2011, at 1:56 PM, Roy T. Fielding wrote:
>>>> To be clear, I am more than willing to rewrite the part on
>>>> Ranges such that the above is explicitly forbidden in HTTP.
>>>> I am not sure what the WG would agree to, but I am quite certain
>>>> that part of the reason we have an Apache server is to protect
>>>> the Internet from idiotic ideas like the above.
>>>
>>> http://trac.tools.ietf.org/wg/httpbis/trac/ticket/311
>>
>> Excellent, thanks. Just curious, isn't this clarification outside of
>> the remit of 2616bis?
>
> Security repairs are never out of scope.
Ack.
So, I suspect the best we can do today, 4 days later, is to implement Roy's
draft [link] as the POC/reference implementation and work with the rest of
the http server community to ensure it is the right solution.
I suggest we publish this as a patch, /not/ as a release, until we find just
a bit more buy-in from the other implementors.
Bill