On Mon, Sep 19, 2016 at 10:36 AM, Jim Jagielski <[email protected]> wrote:
> > > On Aug 2, 2016, at 2:59 PM, Jacob Champion <[email protected]> wrote: > > > > On 08/02/2016 11:12 AM, William A Rowe Jr wrote: > >> One additional thought... On 2.2 and 2.4 I see this change as entirely > >> opt-in, no disruption to a user performing a subversion upgrade. On > >> 2.6/3.0 I'd want us to seriously consider changing the out-of-the-box > >> default to strict parsing. > > > > +1. > > > > (I have no strong opinions on whether or not this should go into the > next release, though.) > > Any more thoughts related to this? I know that it is > still being worked here and there, but knowing whether or > not it will be folded in 2.4.24 might be incentive to > finish polishing as it were. > I have a strong opinion that the strict request message parsing should be included in 2.4.24/2.2.32. That includes disallowing all unexpected CTL chars. This can easily be ready on your proposed timeframe. I no longer believe we should address URI formatting until 2.4.25, it's obviously a much larger hornets nest in terms of many incompatibilites that are well-known. So I've tweaked some API calls and should have a patch in by tomorrow for this change, to take out the StrictURI option and replace the scan valid uri chars with the efficient scan vchar/obstext that halts on any CTL or space. Will start a fresh thread for the post-mortem and backport discusssions.
