Re: [NEW ISSUE] Content-Length and Transfer-Encoding: security implications from Henrik Nordstrom on 2007-12-06 (ietf-http-wg@w3.org from October to December 2007)

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Thu, 06 Dec 2007 04:10:15 +0100
To: Adrien de Croy <adrien@qbik.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <1196910615.30847.25.camel@henriknordstrom.net>

On ons, 2007-12-05 at 09:08 +1300, Adrien de Croy wrote:

> Wouldn't the best approach be to ban Transfer-Encoding from HTTP/1.0 
> clients?  Removing the Transfer-Encoding header in this case solves the 
> problem, as then the payload of the post is correctly encapsulated.

Yes, a SHOULD requirement that servers and clients SHOULD reject
HTTP/1.0 messages using chunked transfer-encoding as invalid would be a
good thing. Required to solve interoperability issues regarding these
requests when there is an HTTP/1.0 proxy in the path.

For a pure HTTP/1.1 path (or any path where there isn't an HTTP/1.0
proxy) the existing wording works.

Note: there is some servers out there in the whild who respond with both
Content-Length and chunked.. but probably not many...

http://www.squid-cache.org/mail-archive/squid-users/200711/0605.html

Regards
Henrik

Received on Thursday, 6 December 2007 03:10:47 UTC