UA in query string (was: Java webservice)

[Bertrand Delacretaz <bd...@apache.org>]

Hi,

On Mon, May 13, 2013 at 8:40 AM, eberhard speer jr. <se...@ducis.net> wrote:
> 1) user-agent in URL query-string
> Some servers, in my opinion quite rightly, are configured to refuse
> requests with 'dodgy' character sequences in their query string (like
> complete URLs with their own query string), such as may occur in some
> of the more exotic user-agent strings....

I don't get that - If you call the service from a form such as

<form action="http://devicemap-vm.apache.org/javaservice.js">
  <input name="ua" type="text"/>
  <input type="submit"/>
</form>

the ua parameter is encoded and there's no problem with that IMO -
maybe a too long URL in some cases, unlikely with UA values and you
can always switch to POST if needed.

If you call the service from code, you must encode the URL parameter.

> Security considerations may also, again quite rightly, be invoked to
> limit the length of URL and/or query string of a request.

Ok, so switch to POST then - the service can support both POST and GET.

Note that the same happens with HTTP request headers, Jetty/Tomcat for
example will reject requests with more than N bytes of request headers
(around 4k by default IIRC, similar to typical URL length limits).

>
> In short, including the user-agent string in the query string can
> justifiably be said to open a potential attack vector on a host...

I disagree...until you can show me a concrete scenario ;-)

> ...The solution I chose and propose : including the ua to be resolved in
> a custom HTTP header (Ddr-User-Agent)...

I'm not against that as an additional option if you think it is
useful, but IMO that violates the principle of least surprise.

Supporting several methods of providing the UA is fine with me, and
I'd then include in the output an indication of which one was used -
maybe an additional X-devicemap-UAsource = "Ddr-User-Agent header"
output value.

-Bertrand