Hi Jan, > On Mar 24, 2022, at 4:37 PM, Jan Lindblad <j...@tail-f.com> wrote: > > f this isn't obvious, here's an example: > 1. Client A sends an edit to the server If-Unmodified-Since t0. Successful. > Receives a Last-Modified timestamp t1. > 2. Client B sends a an edit to the server. Last-Modified timestamp on server > is now t2. > 3. Client A sends an edit to the server without If-Unmodified-Since. It just > sets one tiny little leaf off in one corner. Successful. Received a > Last-Modified timestamp t3. > 4. Client A sends an edit to the server If-Unmodified-Since t3. Successful, > but clobbers Client B's edit, leading to a misconfiguration, which opens a > security hole. > > This is because the If-Unmodified-Since uses less than or equal in its test. > The ETag mechanism is not susceptible to this issue, as it uses an equality > test.
I don't think this example is valid. Skipping past the obvious programming error, the equivalency you're trying to make applies to Etags too. 1. Client A sends an edit to the server If-Match e0. Successful. Receives a ETag e1. 2. Client B sends a an edit to the server. ETag on server is now e2. 3. Client A sends an edit to the server without If-Match. It just sets one tiny little leaf off in one corner. Successful. Received a ETag e3. 4. Client A sends an edit to the server If-Match e3. Successful, but clobbers Client B's edit, leading to a misconfiguration, which opens a security hole. Kent // contributor
_______________________________________________ netmod mailing list netmod@ietf.org https://www.ietf.org/mailman/listinfo/netmod
