W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2007

Re: [NEW ISSUE] Content-Length and Transfer-Encoding: security implications

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Thu, 06 Dec 2007 04:10:15 +0100
To: Adrien de Croy <adrien@qbik.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <1196910615.30847.25.camel@henriknordstrom.net>
On ons, 2007-12-05 at 09:08 +1300, Adrien de Croy wrote:

> Wouldn't the best approach be to ban Transfer-Encoding from HTTP/1.0 
> clients?  Removing the Transfer-Encoding header in this case solves the 
> problem, as then the payload of the post is correctly encapsulated.

Yes, a SHOULD requirement that servers and clients SHOULD reject
HTTP/1.0 messages using chunked transfer-encoding as invalid would be a
good thing. Required to solve interoperability issues regarding these
requests when there is an HTTP/1.0 proxy in the path.

For a pure HTTP/1.1 path (or any path where there isn't an HTTP/1.0
proxy) the existing wording works.

Note: there is some servers out there in the whild who respond with both
Content-Length and chunked.. but probably not many...

http://www.squid-cache.org/mail-archive/squid-users/200711/0605.html

Regards
Henrik

Received on Thursday, 6 December 2007 03:10:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:23 GMT