W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2007

Re: i19 Bodies on GET (and other) requests

From: Jamie Lokier <jamie@shareable.org>
Date: Tue, 16 Jan 2007 21:17:26 +0000
To: Henrik Nordstrom <hno@squid-cache.org>
Cc: Mark Nottingham <mnot@mnot.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <20070116211726.GB13437@mail.shareable.org> 

Henrik Nordstrom wrote:
> Hmm.. maybe there is also request smuggling attacks possible
> here if there is some server/proxy software ignoring that there may be a
> request body..

See also "Content-Length : 12345" (note the space).  I think that is
interpreted as a Content-Length header by some agents, and a
"Content-Length " header by others (i.e. not implying a body), and
disallowed as bad syntax by others.  Ample opportunities for request
smuggling.

-- Jamie
Received on Tuesday, 16 January 2007 22:06:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 4 October 2011 12:13:57 GMT