Re: [Sks-devel] Re: SKS v. unknown HTTP headers (was: Re: IPv6 failover?)

[David Shaw]

On Sat, Aug 20, 2005 at 07:00:30AM -0400, Yaron Minsky wrote:
> On 8/19/05, David Shaw <address@hidden> wrote:
> > 
> > I just tried it. It does not work.
> 
> 
> Harumph. So I'm just confused. Here's the code in the current version:
> 
> match request with
> "/pks/add" ->
> let keytext = Scanf.sscanf (Wserver.decode body) "keytext=%s" (fun s -> s) 
> in
> let keys = Armor.decode_pubkey keytext in
> 
> This looks right to me. It handles "keytext=<some string>" as well as 
> "keytext%3D<some string>". Jason's first patch seemed to handle the cases 
> "keytext=<some string>" and "keytext%<some string>". Jason later proposed 
> the following patch:
> 
> let keytext = Wserver.decode body in
> let tosser = Scanf.sscanf keytext "keytext=" (fun s -> s) in
> let keytext = Str.string_after keytext 8 in
> 
> Which seems like the same thing as my most recent patch. So what's the right 
> behavior? Can someone explain to me what I'm doing wrong?

Handling "keytext%<some string> is definitely incorrect.  The % is
just to escape the = sign as %3D.

I'm not the best at reading ocaml, but it doesn't seem that your code
will handle arbitrary %-escaping elsewhere in <some string>.  The HTTP
spec allows any character to be escaped.  Some clients (like libcurl)
are a little more agressive about escaping.  For example, the actual
stream that is sent from curl during the HTTP POST begins:

keytext%3D%2D%2D%2D%2D%2DBEGIN%20PGP%20PUBLIC%20KEY%20BLOCK%2D%2D%2D%2D%2D%0AVersion%3A%20GnuPG
(etc)

David