From: Dan Winship Date: Sun, 2 Apr 2006 20:23:51 +0000 (+0000) Subject: add errata from http://skrb.org/ietf/http_errata.html X-Git-Tag: LIBSOUP_2_2_92~6 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=0e66ec4c49e79fe587aca8a701010844405831c7;p=platform%2Fupstream%2Flibsoup.git add errata from skrb.org/ietf/http_errata.html --- diff --git a/docs/specs/README b/docs/specs/README index 17daaab..0dee62d 100644 --- a/docs/specs/README +++ b/docs/specs/README @@ -5,8 +5,8 @@ rfc2145 - Use and Interpretation of HTTP Version Numbers rfc2324 - Hyper Text Coffee Pot Control Protocol (HTCPCP/1.0) rfc2388 - Returning Values from Forms: multipart/form-data rfc2518 - HTTP Extensions for Distributed Authoring -- WEBDAV -rfc2616 - HTTP/1.1 (revised) -rfc2617 - HTTP Authentication: Basic and Digest Access Authentication +rfc2616 - HTTP/1.1 (revised) [plus errata] +rfc2617 - HTTP Authentication: Basic and Digest Access Authentication [plus errata] rfc2817 - Upgrading to TLS Within HTTP/1.1 rfc2818 - HTTP Over TLS rfc2965 - HTTP State Management Mechanism (allegedly obsoletes 2109) diff --git a/docs/specs/rfc2616.txt b/docs/specs/rfc2616.txt index 45d7d08..32f6f69 100644 --- a/docs/specs/rfc2616.txt +++ b/docs/specs/rfc2616.txt @@ -1,7 +1,6 @@ - - - +[[ Text in double brackets is from the unofficial errata at ]] +[[ http://skrb.org/ietf/http_errata.html ]] Network Working Group R. Fielding @@ -957,7 +956,7 @@ RFC 2616 HTTP/1.1 June 1999 The version of an HTTP message is indicated by an HTTP-Version field - in the first line of the message. + in the first line of the message. [[HTTP-Version is case-sensitive.]] HTTP-Version = "HTTP" "/" 1*DIGIT "." 1*DIGIT @@ -1085,6 +1084,7 @@ RFC 2616 HTTP/1.1 June 1999 Characters other than those in the "reserved" and "unsafe" sets (see RFC 2396 [42]) are equivalent to their ""%" HEX HEX" encoding. + [[ Ignore reference to "unsafe" set. ]] For example, the following three URIs are equivalent: @@ -1205,6 +1205,12 @@ RFC 2616 HTTP/1.1 June 1999 charset = token +[[ HTTP uses charset in two contexts: within an Accept-Charset request ]] +[[ header (in which the charset value is an unquoted token) and as the ]] +[[ value of a parameter in a Content-type header (within a request or ]] +[[ response), in which case the parameter value of the charset ]] +[[ parameter may be quoted. ]] + Although HTTP allows an arbitrary token to be used as a charset value, any token that has a predefined value within the IANA Character Set registry [19] MUST represent the character set defined @@ -1354,6 +1360,8 @@ RFC 2616 HTTP/1.1 June 1999 3.6.2), "gzip" (section 3.5), "compress" (section 3.5), and "deflate" (section 3.5). + [[ Remove reference to "identity" token ]] + New transfer-coding value tokens SHOULD be registered in the same way as new content-coding value tokens (section 3.5). @@ -1391,6 +1399,9 @@ RFC 2616 HTTP/1.1 June 1999 the chunk. The chunked encoding is ended by any chunk whose size is zero, followed by the trailer, which is terminated by an empty line. + [[ "the size of the chunk" means "the size of the chunk-data in ]] + [[ octets" ]] + The trailer allows the sender to include additional HTTP header fields at the end of the message. The Trailer header field can be used to indicate which header fields are included in a trailer (see @@ -1470,6 +1481,8 @@ RFC 2616 HTTP/1.1 June 1999 outlined in RFC 1590 [17]. Use of non-registered media types is discouraged. + [[ "RFC 1590" should be "RFC 2048" ]] + 3.7.1 Canonicalization and Text Defaults Internet media types are registered with a canonical form. An @@ -1614,6 +1627,8 @@ RFC 2616 HTTP/1.1 June 1999 primary-tag = 1*8ALPHA subtag = 1*8ALPHA + [[ Updated by RFC 3066: subtags may now contain digits ]] + White space is not allowed within the tag and all tags are case- insensitive. The name space of language tags is administered by the IANA. Example tags include: @@ -1840,6 +1855,8 @@ RFC 2616 HTTP/1.1 June 1999 defined by use of the "chunked" transfer-coding (section 3.6), unless the message is terminated by closing the connection. + [[ Remove 'and has any value other than "identity"' ]] + 3.If a Content-Length header field (section 14.13) is present, its decimal value in OCTETs represents both the entity-length and the transfer-length. The Content-Length header field MUST NOT be sent @@ -1890,6 +1907,8 @@ RFC 2616 HTTP/1.1 June 1999 non-identity transfer-coding. If the message does include a non- identity transfer-coding, the Content-Length MUST be ignored. + [[ Remove "non-identity" both times ]] + When a Content-Length is given in a message where a message-body is allowed, its field value MUST exactly match the number of OCTETs in the message-body. HTTP/1.1 user agents MUST notify the user when an @@ -1999,6 +2018,7 @@ RFC 2616 HTTP/1.1 June 1999 identifies the resource upon which to apply the request. Request-URI = "*" | absoluteURI | abs_path | authority + [[ Request-URI = "*" | absoluteURI | abs_path [ "?" query ] | authority ]] The four options for Request-URI are dependent on the nature of the request. The asterisk "*" means that the request does not apply to a @@ -2998,6 +3018,12 @@ RFC 2616 HTTP/1.1 June 1999 identified by the Request-URI in the Request-Line. POST is designed to allow a uniform method to cover the following functions: +[[ Should be: ]] +[[ The POST method is used to request that the origin server accept the ]] +[[ entity enclosed in the request as data to be processed by the resource ]] +[[ identified by the Request-URI in the Request-Line. POST is designed ]] +[[ to allow a uniform method to cover the following functions: ]] + - Annotation of existing resources; - Posting a message to a bulletin board, newsgroup, mailing list, @@ -3015,6 +3041,8 @@ RFC 2616 HTTP/1.1 June 1999 newsgroup to which it is posted, or a record is subordinate to a database. + [[ Remove second sentence ("The posted entity is subordinate") above ]] + The action performed by the POST method might not result in a resource that can be identified by a URI. In this case, either 200 (OK) or 204 (No Content) is the appropriate response status, @@ -3377,6 +3405,12 @@ RFC 2616 HTTP/1.1 June 1999 MUST include all of the entity-headers that would have been returned with a 200 (OK) response to the same request. +[[ Should be: ]] +[[ If the 206 response is the result of an If-Range request, the ]] +[[ response SHOULD NOT include other entity-headers. Otherwise, the ]] +[[ response MUST include all of the entity-headers that would have ]] +[[ been returned with a 200 (OK) response to the same request. ]] + A cache MUST NOT combine a 206 response with other previously cached content if the ETag or Last-Modified headers do not match exactly, see 13.5.4. @@ -3448,6 +3482,15 @@ RFC 2616 HTTP/1.1 June 1999 request unless it can be confirmed by the user, since this might change the conditions under which the request was issued. +[[ Should be: ]] +[[ If the 301 status code is received in response to a request method ]] +[[ that is known to be "safe", as defined in section 9.1.1, then the ]] +[[ request MAY be automatically redirected by the user agent without ]] +[[ confirmation. Otherwise, the user agent MUST NOT automatically ]] +[[ redirect the request unless it is confirmed by the user, since the ]] +[[ new URI might change the conditions under which the request was ]] +[[ issued. ]] + Note: When automatically redirecting a POST request after receiving a 301 status code, some existing HTTP/1.0 user agents will erroneously change it into a GET request. @@ -3481,6 +3524,8 @@ RFC 2616 HTTP/1.1 June 1999 request unless it can be confirmed by the user, since this might change the conditions under which the request was issued. + [[ See errata to 10.3.3 ]] + Note: RFC 1945 and RFC 2068 specify that the client is not allowed to change the method on the redirected request. However, most existing user agent implementations treat 302 as if it were a 303 @@ -3609,6 +3654,8 @@ RFC 2616 HTTP/1.1 June 1999 request unless it can be confirmed by the user, since this might change the conditions under which the request was issued. + [[ See errata to 10.3.3 ]] + 10.4 Client Error 4xx The 4xx class of status code is intended for cases in which the @@ -5130,7 +5177,7 @@ RFC 2616 HTTP/1.1 June 1999 - Proxy-Authenticate - Proxy-Authorization - TE - - Trailers + - Trailers [[should be "Trailer"]] - Transfer-Encoding - Upgrade @@ -5462,6 +5509,12 @@ RFC 2616 HTTP/1.1 June 1999 on the URI in a Location or Content-Location header MUST only be performed if the host part is the same as in the Request-URI. +[[ Should be: ]] +[[ An invalidation based on the URI in a Location or Content-Location ]] +[[ header MUST NOT be performed if the host part of that URI differs ]] +[[ from the host part in the Request-URI. This helps prevent denial of ]] +[[ service attacks. ]] + A cache that passes through requests for methods it does not understand SHOULD invalidate any entities referred to by the Request-URI. @@ -5719,6 +5772,10 @@ RFC 2616 HTTP/1.1 June 1999 1#( codings [ ";" "q" "=" qvalue ] ) codings = ( content-coding | "*" ) + [[ http://lists.w3.org/Archives/Public/ietf-http-wg/2005AprJun/0029.html ]] + [[ points out that the "1#" must be "#" to make the examples below and ]] + [[ the text of rule 4 correct. ]] + Examples of its use are: Accept-Encoding: compress, gzip @@ -6542,6 +6599,14 @@ RFC 2616 HTTP/1.1 June 1999 HTTP/1.1 applications that do not support persistent connections MUST include the "close" connection option in every message. +[[ Should say: ]] +[[ An HTTP/1.1 client that does not support persistent connections ]] +[[ MUST include the "close" connection option in every request message. ]] +[[ ]] +[[ An HTTP/1.1 server that does not support persistent connections ]] +[[ MUST include the "close" connection option in every response ]] +[[ message that does not have a 1xx (informational) status code. ]] + A system receiving an HTTP/1.0 (or lower-version) message that includes a Connection header MUST, for each connection-token in this field, remove and ignore any header field(s) from the message with @@ -7545,6 +7610,7 @@ RFC 2616 HTTP/1.1 June 1999 field value consists of a single absolute URI. Location = "Location" ":" absoluteURI + [[ [ "#" fragment ] ]] An example is: @@ -7885,6 +7951,7 @@ RFC 2616 HTTP/1.1 June 1999 If the response is being forwarded through a proxy, the proxy application MUST NOT modify the Server response-header. Instead, it SHOULD include a Via field (as described in section 14.45). + [[ Actually, it MUST ]] Note: Revealing the specific software version of the server might allow the server machine to become more vulnerable to attacks @@ -8868,6 +8935,11 @@ RFC 2616 HTTP/1.1 June 1999 [17] Postel, J., "Media Type Registration Procedure", RFC 1590, November 1996. +[[ Should be: ]] +[[ [17] Freed, N., Klensin, J., and Postel, J., "Multipurpose Internet ]] +[[ Mail Extensions (MIME) Part Four: "Registration Procedure", ]] +[[ RFC 2048, November 1996. ]] + [18] Postel, J. and J. Reynolds, "File Transfer Protocol", STD 9, RFC 959, October 1985. @@ -9401,6 +9473,9 @@ RFC 2616 HTTP/1.1 June 1999 remove any non-identity CTE ("quoted-printable" or "base64") encoding prior to delivering the response message to an HTTP client. + [[ "MUST remove any CTE encoding prior to delivering the response ]] + [[ message to an HTTP client." ]] + Proxies and gateways from HTTP to MIME-compliant protocols are responsible for ensuring that the message is in the correct format and encoding for safe transport on that protocol, where "safe diff --git a/docs/specs/rfc2617.txt b/docs/specs/rfc2617.txt index 771aa92..b8fdf59 100644 --- a/docs/specs/rfc2617.txt +++ b/docs/specs/rfc2617.txt @@ -1,8 +1,6 @@ - - - - +[[ Text in double brackets is from the unofficial errata at ]] +[[ http://skrb.org/ietf/http_errata.html ]] Network Working Group J. Franks Request for Comments: 2617 Northwestern University @@ -412,6 +410,8 @@ RFC 2617 HTTP Authentication June 1999 domain = "domain" "=" <"> URI ( 1*SP URI ) <"> + [[ Should be: ]] + [[ domain = "domain" "=" <"> URI *( 1*SP URI ) <"> ]] URI = absoluteURI | abs_path nonce = "nonce" "=" nonce-value nonce-value = quoted-string @@ -1466,6 +1466,8 @@ RFC 2617 HTTP Authentication June 1999 5 Sample implementation + [[ WARNING: DigestCalcHA1 IS WRONG ]] + The following code implements the calculations of H(A1), H(A2), request-digest and response-digest, and a test program which computes the values used in the example of section 3.5. It uses the MD5