Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] org.eclipse.jetty.http.HttpField

Bad example perhaps with If-Match, but substitute for If-None-Match and it’s not a violation.

However, ETags are opaque, so it’s not clear to me how I would distinguish the following:

If-None-Match: W/"RYNBLKMNQ/LK"
If-None-Match: "W/RYNBLKMNQ/LK"

Which one is weak and which one isn’t?

On Thu, Oct 29, 2020 at 3:54 PM Joakim Erdfelt joakim@xxxxxxxxxxx wrote:

So there's 2 topics here, both about field values.

1. What does comma mean?
2. What does dquote mean?

If there is a comma present, and it's not within a DQUOTE pair, then that's the delimiter between field-values.

So that means ...

Example 1:

X-Foo: apple, banana, pear

Is a field of name "X-Foo", with 3 values:
1. apple
2. banana
3. pear

This can also be represented across multiple headers of the same name.

Example 2:

X-Foo: apple
X-Foo: banana
X-Foo: pear

Those 2 examples are equivalent field definitions.

Those 3 values, as they are written, are considered "token" field values per spec.


You can have a field value of either: 
1. a token
2. quoted-string
3. comment

The rules for "token" are ...

     token          = 1*tchar

     tchar          = "!" / "#" / "$" / "%" / "&" / "'" / "*"
                    / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
                    / DIGIT / ALPHA
                    ; any VCHAR, except delimiters

Also, it notes that delimiters are (DQUOTE and "(),/:;<=>?@[\]{}")

The rules for "quoted-string" are ...

     quoted-string  = DQUOTE *( qdtext / quoted-pair ) DQUOTE
     qdtext         = HTAB / SP /%x21 / %x23-5B / %x5D-7E / obs-text
     obs-text       = %x80-FF

If we take these rules and apply it to your stated example strings ...

Your Example 1:

If-Match: "ab35ef1bc78", "5be73a9c523"

This is a field of name "If-Match", with 2 quoted-string values.

1. ab35ef1bc78
2. 5be73a9c523

Your Example 2:

If-Match: W/"ab35ef1bc78", W/"5be73a9c523"

This is a field of name "If-Match".
It has 2 values, both of which are in violation of the spec.
Why?
This is started to be parsed as a token, as it doesn't start with DQUOTE.
This field-value has 3 forbidden delimiter characters, the "/" is invalid, and so are the DQUOTE characters.
This example doesn't fit the definition for quoted-string either, as it doesn't start with DQUOTE.

If your example was ...

If-Match: "W/ab35ef1bc78", "W/5be73a9c523"

Then you would satisfy the quoted-string rules. (as the "/" is %x2F and within the allowed qdtext definition).
And the parsed definition would be ..

Field with name "If-Match", with a value list

1. W/ab35ef1bc78
2. W/5be73a9c523

Joakim Erdfelt / joakim@xxxxxxxxxxx


On Thu, Oct 29, 2020 at 2:21 PM Cantor, Scott <cantor.2@xxxxxxx> wrote:
On 10/29/20, 3:14 PM, "jetty-users-bounces@xxxxxxxxxxx on behalf of Nils Kilden-Pedersen" <jetty-users-bounces@xxxxxxxxxxx on behalf of nilskp@xxxxxxxxx> wrote:

>    I disagree. The quotes are part of the value and are significant.

I agree.

I was curious about this and followed the thread because I make use of the etags feature in the DefaultServlet. It seems to operate properly so far as it goes, but that may be due to simply expecting and handling the fact that the quotes are gone, or by not properly handling weak vs.strong comparison.

But if something behind the server were looking at the header value, it would be getting a corrupted value out to compare with its own copy of the tag if it had produced it.

-- Scott


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users


Back to the top