W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2007

Re: i19 Bodies on GET (and other) requests

From: Yves Lafon <ylafon@w3.org>
Date: Wed, 17 Jan 2007 05:04:50 -0500 (EST)
To: Jamie Lokier <jamie@shareable.org>
Cc: Henrik Nordstrom <hno@squid-cache.org>, Mark Nottingham <mnot@mnot.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <Pine.LNX.4.64.0701170502030.6187@ubzre.j3.bet> 

On Tue, 16 Jan 2007, Jamie Lokier wrote:

>
> Henrik Nordstrom wrote:
>> Hmm.. maybe there is also request smuggling attacks possible
>> here if there is some server/proxy software ignoring that there may be a
>> request body..
>
> See also "Content-Length : 12345" (note the space).  I think that is
> interpreted as a Content-Length header by some agents, and a
> "Content-Length " header by others (i.e. not implying a body), and
> disallowed as bad syntax by others.  Ample opportunities for request
> smuggling.

Alex Rousskov pointed out some time ago that it was covered by the spec in 
2.1, implied *LWS.
So  it should always be interpreted as "Content-Length"
Cheers,

-- 
Baroula que barouleras, au tiéu toujou t'entourneras.

         ~~Yves
Received on Wednesday, 17 January 2007 10:04:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 4 October 2011 12:13:57 GMT