W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2009

Re: chunking without chunking

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Thu, 18 Jun 2009 12:15:34 +0200
To: Adrien de Croy <adrien@qbik.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <1245320134.15069.394.camel@localhost.localdomain>
ons 2009-06-17 klockan 18:40 +1200 skrev Adrien de Croy:

> sorry, today seems to be a run of issues.  We found a website that sends 
> Transfer-Encoding: chunked, but then doesn't send the data chunked.  
> This means the first line of content is parsed as a chunk header, which 
> resolves to a chunk length of 0, since the first line is non-numeric.

Which is an invalid chunk.. malformed HTTP response etc..

> OK, so this is obviously seriously broken.  And it broke our proxy, 
> since we decided we were getting a 0 chunk right up followed by a bunch 
> of extraneous data.

Correct. Both broken. Site broken in sending a malformed HTTP response,
proxy broken in incorrectly misreading it as a valid response...

> However, it works in IE and Chrome.  Firefox spins its wheels indefinitely.

Heh..

Specs is quite dim on how clients should deal with malformed responses,
so no surprise agents differ in how they react.

> So, IE (8) and Chrome (2) can scavenge the data out of a stream that is 
> supposed to be chunked but isn't.  This is possibly a security problem 
> for these browsers.

Would be very interesting to see results if you mix Content-Length with
this, and pipelined responses...


> Handling this cleanly is difficult.  We get complaints from customers 
> that the proxy breaks the site, because their browser works fine going 
> direct to the site, so it must be the proxy's fault.

As usual...

Tried contacting the site owners/authors/technical webmaster? It's not a
very common server brokeness and the company owning the site in question
seem to be both responsible and serious..

Regards
Henrik
Received on Thursday, 18 June 2009 10:16:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:04 GMT