W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2008

(issue 95) - security considerations

From: Amit Klein <aksecurity@gmail.com>
Date: Thu, 11 Sep 2008 22:11:13 +0200
Message-ID: <48C97B61.5010404@gmail.com>
To: ietf-http-wg@w3.org

The way I see it, double Content-Length is an instance of a more generic 
failure to follow RFC 2616 section 4.2, which reads:

Multiple message-header fields with the same field-name MAY be present 
in a message if and only if the entire field-value for that header field 
is defined as a comma-separated list [i.e., #(values)]. It MUST be 
possible to combine the multiple header fields into one "field-name: 
field-value" pair, without changing the semantics of the message, by 
appending each subsequent field-value to the first, each separated by a 
comma. The order in which header fields with the same field-name are 
received is therefore significant to the interpretation of the combined 
field value, and thus a proxy MUST NOT change the order of these field 
values when a message is forwarded.

Now, since Content-Length's field-value is not a comma separated list, 
it follows that Content-Length should never be sent twice. As well as 
many other headers. Perhaps it's simply worth mentioning explicitly in 
the RFC?!

-Amit
Received on Thursday, 11 September 2008 19:07:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:54 GMT