[tor-bugs] #29432 [Core Tor/Tor]: QuotedString and CString in control-spec.txt technically require escaping ascii 32 (space)

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Feb 8 02:26:34 UTC 2019 

#29432: QuotedString and CString in control-spec.txt technically require escaping
ascii 32 (space)
------------------------------+----------------------
     Reporter:  dcf           |      Owner:  (none)
         Type:  defect        |     Status:  new
     Priority:  Medium        |  Milestone:
    Component:  Core Tor/Tor  |    Version:
     Severity:  Normal        |   Keywords:  tor-spec
Actual Points:                |  Parent ID:
       Points:                |   Reviewer:
      Sponsor:                |
------------------------------+----------------------
 control-spec.txt 2.1 [https://gitweb.torproject.org/torspec.git/tree
 /control-spec.txt?id=795420240305a6d67c0f4322993a65da4c7b6f2f#n110 says]:
 > === 2.1. Description format ===
 > We use the following nonterminals from RFC 2822: `atom`, `qcontent`
 > ...
 > {{{QuotedString = DQUOTE *qcontent DQUOTE}}}
 > ...
 > === 2.1.1. Notes on an escaping bug ===
 > {{{CString = DQUOTE *qcontent DQUOTE}}}

 RFC 2822 [https://tools.ietf.org/html/rfc2822#section-3.2.5 defines]
 `qcontent` thus:
 {{{
 qtext           =       NO-WS-CTL /     ; Non white space controls

                         %d33 /          ; The rest of the US-ASCII
                         %d35-91 /       ;  characters not including "\"
                         %d93-126        ;  or the quote character

 qcontent        =       qtext / quoted-pair
 }}}
 where `NO-WS-CTL` [https://tools.ietf.org/html/rfc2822#section-3.2.1
 expands to]
 {{{
 NO-WS-CTL       =       %d1-8 /         ; US-ASCII control characters
                         %d11 /          ;  that do not include the
                         %d12 /          ;  carriage return, line feed,
                         %d14-31 /       ;  and white space characters
                         %d127
 }}}

 In short, `qcontent` does not include the space character (ascii 32), and
 so according to a strict reading of the spec, anything that produces a
 QuotedString or CString has to escape spaces as `\ ` or `\040`.

 The reason why RFC 2822 does not require space to be escaped is that the
 definition of `quoted-string` is not `DQUOTE *qcontent DQUOTE` as in
 control-spec.txt, but also allows whitespace as part of the `[FWS]`
 production:
 {{{
 quoted-string   =       [CFWS]
                         DQUOTE *([FWS] qcontent) [FWS] DQUOTE
                         [CFWS]
 }}}

 I notice that tor doesn't escape the space character (in `esc_for_log` and
 `unescape_string` for example). IMO tor is doing the right, expected thing
 and the spec should be clarified.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29432>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list