Page 1 of 1

Send binary data via GET

Posted: Sat Nov 11, 2006 6:16 pm
by Ambush Commander
I am currently writing code to validate URIs. While I was working on it, I realized that using percent-encoding would, theoretically speaking, enable people to insert binary data into the URI: i.e. %00.

W3C's document on this matter is ambiguous: it does not mention binary data specifically but does comment on non-ASCII characters, but in the context of actual character encodings.

This leads me to believe that binary data is not meant to be transferred via HTTP GET. This also implies that the URI should be well-formed UTF-8 after decoding everything. How interesting. Of course, it could be that none of this really matters.

What do you think?

Posted: Sat Nov 11, 2006 6:20 pm
by aaronhall

Posted: Sat Nov 11, 2006 6:21 pm
by feyd
I know binary data is sent via URL all the time. Why? Take a look at the hacking attempts in your server request logs. :)

Posted: Sat Nov 11, 2006 6:26 pm
by Ambush Commander
Okay, so we've pretty well established that it is possible to send binary data through URLs. Is it desirable behaviour, though? Is it malicious enough to warrant implementing checks against?

Posted: Sat Nov 11, 2006 6:29 pm
by feyd
Ambush Commander wrote:Is it desirable behaviour, though?
Arbitrary binary, absolutely not. However because character encodings can hit most if not all binary values it certainly could be, technically.

Posted: Sat Nov 11, 2006 7:12 pm
by Ambush Commander
Well, as I said, I'd be checking for well-formedness of the character encoding. I guess this makes things pretty clear. ::sigh::