| Time |
S |
Nick |
Message |
| 00:13 |
|
|
shrink0r joined #rest |
| 00:18 |
|
|
shrink0r_ joined #rest |
| 00:30 |
|
|
shrink0r joined #rest |
| 01:12 |
|
|
shrink0r_ joined #rest |
| 05:31 |
|
|
lemur joined #rest |
| 07:07 |
|
|
Left_Turn joined #rest |
| 07:19 |
|
|
philbot joined #rest |
| 07:19 |
|
|
Topic for #rest is now #rest REpresentational State Transfer | logs: http://irclog.greptilian.com/rest/today | http://tech.groups.yahoo.com/group/rest-discuss | http://code.google.com/p/implementing-rest/ | http://en.wikipedia.org/wiki/Representational_State_Transfer |
| 08:10 |
|
|
graste joined #rest |
| 09:13 |
|
|
shrink0r joined #rest |
| 09:15 |
|
|
quimrstorres joined #rest |
| 09:19 |
|
|
quimrstorres joined #rest |
| 10:14 |
|
|
igitoor joined #rest |
| 10:23 |
|
|
shrink0r joined #rest |
| 10:25 |
|
|
shrink0r_ joined #rest |
| 10:30 |
|
|
igitoor joined #rest |
| 10:34 |
|
|
rosstuck joined #rest |
| 10:37 |
|
|
alxbl joined #rest |
| 10:49 |
|
|
rosstuck joined #rest |
| 10:58 |
|
|
quimrstorres joined #rest |
| 11:32 |
|
|
jcromartie joined #rest |
| 11:32 |
|
|
jcromartie joined #rest |
| 11:41 |
|
|
Andre-B joined #rest |
| 12:05 |
|
|
mezod joined #rest |
| 13:30 |
|
|
angular_mike joined #rest |
| 13:36 |
|
|
quimrstorres joined #rest |
| 13:56 |
|
|
quimrstorres joined #rest |
| 14:18 |
|
|
arbelos joined #rest |
| 14:20 |
|
|
blahdeblah_ joined #rest |
| 14:22 |
|
|
blahdeblah__ joined #rest |
| 14:27 |
|
|
saml joined #rest |
| 14:31 |
|
|
nkoza joined #rest |
| 14:54 |
|
|
zama joined #rest |
| 15:07 |
|
|
quimrstorres joined #rest |
| 16:07 |
|
|
baweaver joined #rest |
| 16:30 |
|
|
quimrstorres joined #rest |
| 16:30 |
|
|
quimrstorres joined #rest |
| 16:41 |
|
|
co-arbelos joined #rest |
| 17:07 |
|
|
navls left #rest |
| 17:08 |
|
|
foist joined #rest |
| 18:02 |
|
|
philbot joined #rest |
| 18:02 |
|
|
Topic for #rest is now #rest REpresentational State Transfer | logs: http://irclog.greptilian.com/rest/today | http://tech.groups.yahoo.com/group/rest-discuss | http://code.google.com/p/implementing-rest/ | http://en.wikipedia.org/wiki/Representational_State_Transfer |
| 18:18 |
|
|
graste joined #rest |
| 19:00 |
|
|
shrink0r joined #rest |
| 19:05 |
|
|
arbelos joined #rest |
| 20:01 |
|
|
jackalista joined #rest |
| 20:20 |
|
|
shrink0r_ joined #rest |
| 20:22 |
|
|
shrink0r joined #rest |
| 21:31 |
|
|
adaro joined #rest |
| 21:33 |
|
|
co-arbelos joined #rest |
| 22:13 |
|
spaceone |
is it valid to have %0A (== \n) in the path of the HTTP request URI? → GET /foo%0Abar/ HTTP/1.1 |
| 22:13 |
|
spaceone |
? |
| 22:15 |
|
spaceone |
or is it restricted to the quoted chars of ":/?#[]@!$&'()*+,;=" plus A-Za-z0-9 |
| 22:19 |
|
fumanchu |
as long as it's escaped, it's valid |
| 22:19 |
|
whartung |
^^ |
| 22:22 |
|
fumanchu |
the http URI scheme uses path-abempty for path segments, which consist of "segment" productions, which are composed of pchars |
| 22:23 |
|
fumanchu |
pchar = unreserved / pct-encoded / sub-delims / ":" / "@" |
| 22:23 |
|
fumanchu |
see section 3.3 (or Appendix A) of https://www.ietf.org/rfc/rfc3986.txt |
| 22:23 |
|
spaceone |
yep, okay |
| 23:08 |
|
pdurbin |
I'm hearing good things about https://www.owasp.org/index.php/REST_Security_Cheat_Sheet |
| 23:09 |
|
whartung |
don't even get me started on encrypting stored data. |
| 23:10 |
|
whartung |
funny: RESTful web services should use session-based authentication, either by establishing a session token via a POST or by using an API key as a POST body argument or as a cookie. |
| 23:11 |
|
whartung |
"Many web services are written to be as stateless as possible. This usually ends up with a state blob being sent as part of the transaction." |
| 23:11 |
|
whartung |
That's not really what it means at all... |
| 23:12 |
|
asdf` |
err, about this part: https://www.owasp.org/index.php/REST_Security_Cheat_Sheet#Insecure_direct_object_references |
| 23:12 |
|
asdf` |
i'm not sure how either of these conclusions follow from the urls? |
| 23:13 |
|
whartung |
it's kind of interesting. |
| 23:13 |
|
whartung |
bsasically they'r esuggesting |
| 23:13 |
|
whartung |
that if the URL is "all you need", then "anything can happen". |
| 23:13 |
|
whartung |
the account xfer is a particularly good one. |
| 23:15 |
|
whartung |
if you have payload (since it doesn't matter if it's a url or a payload, really), that says "xfer from acct 1234 to acct 4567" what's to stop it from being "from acct 1234 to acct 9876", and truth is probably nothing. However, "xfer from acct 3333 to 4567", that should likely be disallowed, since odds are the user has not rights to transfer from 3333, but just 1234. |
| 23:15 |
|
whartung |
so the point is that you need to validate your data and check your rights. |
| 23:15 |
|
whartung |
this is context based security, rather than access based security |
| 23:15 |
|
whartung |
99.9% of web security is URL based (can't they access teh endpoint at ALL) |
| 23:16 |
|
whartung |
since it's mostly based on the old page model |
| 23:16 |
|
whartung |
rather than what you can do with the data. |
| 23:16 |
|
whartung |
this is something folks may not think about. |
| 23:16 |
|
whartung |
mostly because it's a real pain to implement :) lol |
| 23:17 |
|
asdf` |
depends on the stack you're using, of course |
| 23:18 |
|
asdf` |
no, i get what they meant, it's just, it's written VERY badly; it doesn't even mention authorization |
| 23:18 |
|
whartung |
has nothing to do with the stack. Contextual data access is a Hard Problem. Whatever help a stack may offer, doesn't really solve the problem. |
| 23:18 |
|
asdf` |
instead, it mentions primary and foreign keys (???) |
| 23:19 |
|
whartung |
yea, their point is to prevent fishing by not publishing keys. |
| 23:31 |
|
|
fumanchu_ joined #rest |
| 23:34 |
|
fumanchu_ |
man, gzip could use an overhaul. null-terminated header strings, using EOF to detect the footer. ick. |
| 23:38 |
|
|
blahdeblah joined #rest |
