Time  Nick      Message
22:13 spaceone  is it valid to have %0A (== \n) in the path of the HTTP request URI? → GET /foo%0Abar/ HTTP/1.1
22:13 spaceone  ?
22:15 spaceone  or is it restricted to the quoted chars of ":/?#[]@!$&'()*+,;=" plus A-Za-z0-9
22:19 fumanchu  as long as it's escaped, it's valid
22:19 whartung  ^^
22:22 fumanchu  the http URI scheme uses path-abempty for path segments, which consist of "segment" productions, which are composed of pchars
22:23 fumanchu  pchar         = unreserved / pct-encoded / sub-delims / ":" / "@"
22:23 fumanchu  see section 3.3 (or Appendix A) of https://www.ietf.org/rfc/rfc3986.txt
22:23 spaceone  yep, okay
23:08 pdurbin   I'm hearing good things about https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
23:09 whartung  don't even get me started on encrypting stored data.
23:10 whartung  funny: RESTful web services should use session-based authentication, either by establishing a session token via a POST or by using an API key as a POST body argument or as a cookie.
23:11 whartung  "Many web services are written to be as stateless as possible. This usually ends up with a state blob being sent as part of the transaction."
23:11 whartung  That's not really what it means at all...
23:12 asdf`     err, about this part: https://www.owasp.org/index.php/REST_Security_Cheat_Sheet#Insecure_direct_object_references
23:12 asdf`     i'm not sure how either of these conclusions follow from the urls?
23:13 whartung  it's kind of interesting.
23:13 whartung  bsasically they'r esuggesting
23:13 whartung  that if the URL is "all you need", then "anything can happen".
23:13 whartung  the account xfer is a particularly good one.
23:15 whartung  if you have payload (since it doesn't matter if it's a url or a payload, really), that says "xfer from acct 1234 to acct 4567" what's to stop it from being "from acct 1234 to acct 9876", and truth is probably nothing. However, "xfer from acct 3333 to 4567", that should likely be disallowed, since odds are the user has not rights to transfer from 3333, but just 1234.
23:15 whartung  so the point is that you need to validate your data and check your rights.
23:15 whartung  this is context based security, rather than access based security
23:15 whartung  99.9% of web security is URL based (can't they access teh endpoint at ALL)
23:16 whartung  since it's mostly based on the old page model
23:16 whartung  rather than what you can do with the data.
23:16 whartung  this is something folks may not think about.
23:16 whartung  mostly because it's a real pain to implement :) lol
23:17 asdf`     depends on the stack you're using, of course
23:18 asdf`     no, i get what they meant, it's just, it's written VERY badly; it doesn't even mention authorization
23:18 whartung  has nothing to do with the stack. Contextual data access is a Hard Problem. Whatever help a stack may offer, doesn't really solve the problem.
23:18 asdf`     instead, it mentions primary and foreign keys (???)
23:19 whartung  yea, their point is to prevent fishing by not publishing keys.
23:34 fumanchu_ man, gzip could use an overhaul. null-terminated header strings, using EOF to detect the footer. ick.