- From: Jamie Lokier <jamie@shareable.org>
- Date: Tue, 16 Jan 2007 21:17:26 +0000
- To: Henrik Nordstrom <hno@squid-cache.org>
- Cc: Mark Nottingham <mnot@mnot.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Henrik Nordstrom wrote: > Hmm.. maybe there is also request smuggling attacks possible > here if there is some server/proxy software ignoring that there may be a > request body.. See also "Content-Length : 12345" (note the space). I think that is interpreted as a Content-Length header by some agents, and a "Content-Length " header by others (i.e. not implying a body), and disallowed as bad syntax by others. Ample opportunities for request smuggling. -- Jamie
Received on Tuesday, 16 January 2007 22:06:45 UTC