W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2007

Re: i19 Bodies on GET (and other) requests

From: Henrik Nordstrom <hno@squid-cache.org>
Date: Tue, 16 Jan 2007 02:01:42 +0100
To: Mark Nottingham <mnot@mnot.net>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <1168909303.32694.79.camel@henriknordstrom.net>
tis 2007-01-16 klockan 01:06 +0100 skrev Henrik Nordstrom:
> 
> The perhaps biggest problem, apart from some implementations blocking
> such requests as "nonsense use of HTTP" is that it may be used as a
> covert channel to smuggle data out from a network. But there is a large
> number of those in HTTP and related services so not that big of a
> problem..  Hmm.. maybe there is also request smuggling attacks possible
> here if there is some server/proxy software ignoring that there may be a
> request body..

Hmm.. looked back a bit in my notes and find the latter to be the reason
why Squid still rejects such messages by default, protecting the cache
from request splitting attacks.. Our configuration notes even reads

request_entities

        Squid defaults to deny GET and HEAD requests with request entities,
        as the meaning of such requests are undefined in the HTTP standard
        even if not explicitly forbidden.

        Set this directive to on if you have clients which insists
        on sending request entities in GET or HEAD requests. But be warned
        that there is server software (both proxies and web servers) which
        can fail to properly process this kind of request which may make you
        vulnerable to cache pollution attacks if enabled.



Note: details on what software the above refers to have unfortunately
been lost over the years.

As a special case "Content-Length: 0" request messages is not restricted
by this directive as they are safe from the request injection problem (a
bit hard to fit a new request in 0 octets).

Regards
Henrik

Received on Tuesday, 16 January 2007 01:02:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:00 GMT