RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

Found 2 records.

Status: Verified (2)

RFC 9421, "HTTP Message Signatures", February 2024

Source of RFC: httpbis (wit)

Errata ID: 8103
Status: Verified
Type: Technical
Publication Format(s) : TEXT, PDF, HTML

Reported By: Takahiko Kawasaki
Date Reported: 2024-09-15
Verifier Name: Francesca Palombini
Date Verified: 2024-10-29

Section 7.5.3 says:

Several parts of this specification rely on the parsing of Structured
Field values [STRUCTURED-FIELDS] -- in particular, strict
serialization of HTTP Structured Field values (Section 2.1.1),
referencing members of a Dictionary Structured Field (Section 2.1.2),
and processing the @signature-input value when verifying a signature
(Section 3.2).  While Structured Field values are designed to be
relatively simple to parse, a naive or broken implementation of such
a parser could lead to subtle attack surfaces being exposed in the
implementation.

For example, if a buggy parser of the @signature-input value does not
enforce proper closing of quotes around string values within the list
of component identifiers, an attacker could take advantage of this
and inject additional content into the signature base through
manipulating the Signature-Input field value on a message.

It should say:

Several parts of this specification rely on the parsing of Structured
Field values [STRUCTURED-FIELDS] -- in particular, strict
serialization of HTTP Structured Field values (Section 2.1.1),
referencing members of a Dictionary Structured Field (Section 2.1.2),
and processing the @signature-params value when verifying a signature
(Section 3.2).  While Structured Field values are designed to be
relatively simple to parse, a naive or broken implementation of such
a parser could lead to subtle attack surfaces being exposed in the
implementation.

For example, if a buggy parser of the @signature-params value does not
enforce proper closing of quotes around string values within the list
of component identifiers, an attacker could take advantage of this
and inject additional content into the signature base through
manipulating the Signature-Input field value on a message.

Notes:

"@signature-input" should be changed to "@signature-params". There is one such error in both the first and second paragraphs of Section 7.5.3.

Errata ID: 8102
Status: Verified
Type: Editorial
Publication Format(s) : TEXT, PDF, HTML

Reported By: Takahiko Kawasaki
Date Reported: 2024-09-15
Verifier Name: Francesca Palombini
Date Verified: 2024-10-29

Section 7.2.8 says:

"@status": 200
"content-digest": \
  sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:
"@signature-input": ("@status" "content-digest")

It should say:

"@status": 200
"content-digest": \
  sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:
"@signature-params": ("@status" "content-digest")

Notes:

"@signature-input" should be changed to "@signature-params".

Report New Errata



Advanced Search