W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2006

Re: Large content size value

From: Roy T. Fielding <fielding@gbiv.com>
Date: Sat, 30 Dec 2006 20:52:34 -0800
Message-Id: <D98D146D-E0ED-48B4-88C9-0F2DA4B52A70@gbiv.com>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
To: Travis Snoozy (Volt) <a-travis@microsoft.com>

On Dec 29, 2006, at 3:58 PM, Travis Snoozy (Volt) wrote:
> David Morris said:
>> Look at the bright side ... you got an error message from IE7 ....
>> in the long established tradition of clear messages, the message
>> even related to to problem.
>>
>> IE6 is totally confused and ends up downloaning 451,140 bytes and
>> declares success ...
>>
>
> Well, there's a good 60+% of users on the WWW that won't  
> interoperate with this particular server using this particular  
> file, then. IIS appears to have an integer overflow (!) when  
> replying to a HEAD method on a file greater than 4GiB:

Implementations can have bugs.  That doesn't change the standard.

> For reference, the size of the file is 4,368,281,840 bytes, 4GiB is  
> 4,294,967,295 bytes, and the difference is 73,314,545 bytes (the  
> value of Content-Length + 1). The actual GET returns a 501/Not  
> Supported, but the erroneous HEAD reply is still Bad and Wrong.

You should file it with the other protocol errors in IIS.

> Not that it's a surprise; these are the _exact_ problems that I  
> predicted would show up, based solely on what the spec said. Go  
> figure. More digging in more products will very likely uncover  
> similar issues (and not just in Content-Length, but anywhere where  
> 1*DIGIT is present).

That is complete nonsense.  The spec does not say "Fail to use any  
common
sense or valid software engineering techniques while reading untrusted
network input." Nor does it say "Failure to recognize and handle integer
field values larger than the expected integer size is okay."

Professional software developers are expected to know better and be
able to use their own judgement. They don't need a standard to tell
them it is a bug.

....Roy
Received on Sunday, 31 December 2006 04:53:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:53 GMT