On 06/26/2015 06:44 AM, Amos Jeffries wrote:
> + // invalid character somewhere in the line.
> + // As long as we can find the LF, accept the characters
> + // which we know are invalid in any URI, but actively used
> + LfDelim.add('\0'); // Java
> + LfDelim.add(' '); // IIS
> + LfDelim.add('\"'); // Bing
> + LfDelim.add('\\'); // MSIE, Firefox
> + LfDelim.add('|'); // Amazon
On 06/26/2015 09:40 AM, Alex Rousskov wrote:
> In your patch, please add support for all URI characters that we can
> support (or at least all the "unwise" ones from RFC 2396), not just the
> characters that recent deployments have already confirmed "as necessary
> to accommodate". We do not want to come back to this every time some app
> starts sending slightly malformed URIs.
Just got another bug report from the real world. This time it is about
the "^" character used in URLs on a Microsoft news site (probably coming
from some affiliated advertisement services).
I am posting this not to just to emphasize that the list of added
characters is too limited, but to re-emphasize that the whole "allow
what we know is actively used" approach is unfortunate. In your
long-term patch, please add support for all URI characters that we can
support (or at least all the "unwise" ones from RFC 2396).
Thank you,
Alex.
_______________________________________________
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
