- From: Yves Lafon <ylafon@w3.org>
- Date: Wed, 17 Jan 2007 05:04:50 -0500 (EST)
- To: Jamie Lokier <jamie@shareable.org>
- Cc: Henrik Nordstrom <hno@squid-cache.org>, Mark Nottingham <mnot@mnot.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On Tue, 16 Jan 2007, Jamie Lokier wrote:
>
> Henrik Nordstrom wrote:
>> Hmm.. maybe there is also request smuggling attacks possible
>> here if there is some server/proxy software ignoring that there may be a
>> request body..
>
> See also "Content-Length : 12345" (note the space). I think that is
> interpreted as a Content-Length header by some agents, and a
> "Content-Length " header by others (i.e. not implying a body), and
> disallowed as bad syntax by others. Ample opportunities for request
> smuggling.
Alex Rousskov pointed out some time ago that it was covered by the spec in
2.1, implied *LWS.
So it should always be interpreted as "Content-Length"
Cheers,
--
Baroula que barouleras, au tiéu toujou t'entourneras.
~~Yves
Received on Wednesday, 17 January 2007 10:04:57 UTC