- From: Jamie Lokier <jamie@shareable.org>
- Date: Sun, 25 Jan 2009 19:48:32 +0000
- To: Peter <cnmjbm@gmail.com>
- Cc: ietf-http-wg@w3.org
Peter wrote: > In TR-69 domain, messages are text-based SOAP envelopes carried in HTTP 1.1 > messages. The messages are always of text/html type and normally > syntactically terminated by </soap:Envelope> tag. > > If you would argue with "what if the soap msg has syntax errors or the end > tag got lost?", i would say it is the same situation as "what if a http msg > has a Content-Length header with incorrect msg body length?". The difference is that HTTP message boundaries (Content-Length etc.) and <soap:Envelope> are normally parsed by different software. Message boundaries are parsed by proxies, and those should not have any knowlege of <soap:Envelope> or other non-HTTP message boundary terminators. Message boundaries are also often parsed by generic HTTP agents, before passing individual messages to specific applications. > In any situation, the receiver should be able to recover from error input. If HTTP message boundaries aren't clear, it opens a whole bunch of security holes. Especially, connections from proxies may carry messages from multiple unrelated users at the same time. -- Jamie
Received on Sunday, 25 January 2009 19:49:07 UTC