On Mon, May 04, 2020 at 08:39:57AM -0700, Carlo Marcelo Arenas Belón wrote: > On Mon, May 04, 2020 at 10:44:36AM -0400, Jeff King wrote: > > On Mon, May 04, 2020 at 12:45:20AM -0700, Carlo Marcelo Arenas Belón wrote: > > > > > > * the meaning of "exactly" for matching protocol and hostname in the URL > > > since 06 are both case insensitive per RFC3986 and we have been > > > ambiguous on that, leading to some helpers assuming case or encoding. > > > > Yeah, IIRC we discussed case-sensitivity at the time and went with the > > stricter behavior in the name of safety over convenience. And I don't > > think anybody has complained since then. So I'm not really _opposed_ to > > loosening it to match the URL, but perhaps a maintenance release is not > > the best time to do so. > > agree, but I was talking not in the context of a feature, but on how we > are to define the interaction with helpers (which was meant to be part of > this maintenance release). > > currently (since it is undefined) a naive helper could do a caseless match > by assuming we really meant url as defined by RFC3986, and therefore affect > the wrong credential by the operation. Right, I understand. But if helpers are doing case-insensitive matches, I don't think that's a big deal security-wise. And if we're not for our helpers, that's erring on the conservative side, but if nobody is complaining about it, I don't think it's urgent. -Peff
