karlcz
commented
7 years ago @hongsudt @bugacov @robes @ljpearlman @svoinea any comments or concerns?
Closed karlcz closed 11 months ago
karlcz
commented
7 years ago @hongsudt @bugacov @robes @ljpearlman @svoinea any comments or concerns?
karlcz
commented
11 months ago The flask refactor has addressed these concerns.
unquote_object_keys
The current service implementation has flaws with the handling of url-encoded characters:
/and:are not allowed in namespace nor object names even when safely encoded by the client. This seems unfriendly as clients should be able to expect url-encoding to work consistently to protect any UTF-8 input they wish to embed in client-generated names.&are allowed but are conflated with their encoded forms. For example, the two object namestest&name.txtandtest%26name.txtare not considered distinct by hatrac when they really should be according to the relevant RFCs.<is neither reserved nor non-reserved and should never appear in a valid URL.%00are rejected but with unhelpful error messages.To improve this, it seems we should make several related changes:
A-Z,a-z,0-9,-,_,., and~/,:,;,?,=, and&only when used as hatrac URL meta syntax%hh%00with a 400 errorAnd optionally:
This last test would be unnecessary for correct hatrac service function or safety, but might improve client safety in situations where clients use decoded URL elements in contexts that are not well guarded against unusual values.