[armedbear] #432: CL:OPEN on URL-PATHNAME does not redirect across different schemes
armedbear
armedbear-devel at common-lisp.net
Tue Jun 6 07:00:41 UTC 2017
#432: CL:OPEN on URL-PATHNAME does not redirect across different schemes
------------------------------+--------------------------
Reporter: aruttenberg | Owner: mevenson
Type: defect | Status: accepted
Priority: blocker | Milestone: 1.5.0
Component: streams | Version: 1.5.0-dev
Resolution: | Keywords: has-test uri
Parent Tickets: |
------------------------------+--------------------------
Comment (by mevenson):
Replying to [comment:11 aruttenberg]:
> BTW, I don't buy that I should have to use truename every time I use a
URI to get appropriate behavior with a URI. I don't have to do that every
time I use a file name.
I haven't suggested that one needs to use {{{CL:TRUENAME}}} every time one
uses a {{{EXT:PATHNAME-URL}}}, merely that it provides some clue to the
user about the need to follow redirects to access the representation.
> While I think your concerns about security are well-motivated, I think
they are out of place here. Common lisp was not engineered for security,
and bits and pieces here and there being secure won't change that. If
there's a need for a more secure use of common lisp that needs to be
implemented by some package, with a new set of APIs and documentation
explaining what the "secure" package brings to the table.
In creating the possibility to load resources from the network via {{{EXT
::PATHNAME-URL}}} references, it is incumbent to follow a "principle of
least surprise" to the user of these new abstractions, irrespective of the
security concerns of Common Lisp, the language (which probably "don't
exist" in the first place). As such, to have a request for a resource via
the 'https' schema get redirected through a 'http' connection while
leaking information certainly would cause surprise to the user, and should
be avoided if possible.
--
Ticket URL: <http://abcl.org/trac/ticket/432#comment:12>
armedbear <http://abcl.org>
armedbear
More information about the armedbear-ticket
mailing list