W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2007

Re: i19 Bodies on GET (and other) requests

From: Jamie Lokier <jamie@shareable.org>
Date: Thu, 18 Jan 2007 21:33:24 +0000
To: Yves Lafon <ylafon@w3.org>
Cc: Henrik Nordstrom <hno@squid-cache.org>, Mark Nottingham <mnot@mnot.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <20070118213324.GD24028@mail.shareable.org>

Yves Lafon wrote:
> >Henrik Nordstrom wrote:
> >>Hmm.. maybe there is also request smuggling attacks possible
> >>here if there is some server/proxy software ignoring that there may be a
> >>request body..
> >
> >See also "Content-Length : 12345" (note the space).  I think that is
> >interpreted as a Content-Length header by some agents, and a
> >"Content-Length " header by others (i.e. not implying a body), and
> >disallowed as bad syntax by others.  Ample opportunities for request
> >smuggling.
> 
> Alex Rousskov pointed out some time ago that it was covered by the spec in 
> 2.1, implied *LWS.
> So  it should always be interpreted as "Content-Length"

In fact, Alex and I read the identical text and disagreed over whether
it allows *LWS before the colon.

(Which, by the way, means that text should be clarified in any new revision).

But that's besides the point; what the spec covers is theoretical.  In
theory, there are no request smuggling attacks.

As I recall, from looking at source code, actually deployed
implementations interpret "Content-Length : 12345" in all the ways I
described.  See also " Content-Length: 12345" (space before the name)
for additional surprises.

-- Jamie
Received on Thursday, 18 January 2007 21:33:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:00 GMT