W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: A question about Content-Length header

From: Jamie Lokier <jamie@shareable.org>
Date: Sun, 25 Jan 2009 19:48:32 +0000
To: Peter <cnmjbm@gmail.com>
Cc: ietf-http-wg@w3.org
Message-ID: <20090125194831.GB4799@shareable.org>

Peter wrote:
> In TR-69 domain, messages are text-based SOAP envelopes carried in HTTP 1.1 
> messages. The messages are always of text/html type and normally 
> syntactically terminated by </soap:Envelope> tag.
> 
> If you would argue with "what if the soap msg has syntax errors or the end 
> tag got lost?", i would say it is the same situation as "what if a http msg 
> has a Content-Length header with incorrect msg body length?".

The difference is that HTTP message boundaries (Content-Length etc.)
and <soap:Envelope> are normally parsed by different software.

Message boundaries are parsed by proxies, and those should not have
any knowlege of <soap:Envelope> or other non-HTTP message boundary
terminators.  Message boundaries are also often parsed by generic HTTP
agents, before passing individual messages to specific applications.

> In any situation, the receiver should be able to recover from error input.

If HTTP message boundaries aren't clear, it opens a whole bunch of
security holes.  Especially, connections from proxies may carry
messages from multiple unrelated users at the same time.

-- Jamie
Received on Sunday, 25 January 2009 19:49:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT