W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: A question about Content-Length header

From: Peter <cnmjbm@gmail.com>
Date: Sun, 25 Jan 2009 12:01:20 -0800
Message-ID: <91EC698D6CD04F8283EA8A42D8714F22@XP4ANDROID>
To: <ietf-http-wg@w3.org>
Cc: "Jamie Lokier" <jamie@shareable.org>

----- Original Message ----- 
From: "Jamie Lokier" <jamie@shareable.org>

> The difference is that HTTP message boundaries (Content-Length etc.)
> and <soap:Envelope> are normally parsed by different software.
> Message boundaries are parsed by proxies, and those should not have
> any knowlege of <soap:Envelope> or other non-HTTP message boundary
> terminators.  Message boundaries are also often parsed by generic HTTP
> agents, before passing individual messages to specific applications.

I won't argue against the difference (software, agent, proxy or app 
implementation), but in TR-69 domain there seems no proxy between server and 

By the way, if in generic HTTP domains there is such security hole, either 
the application should not be extrally layered with a generic HTTP agent 
(library) or RFC should have precisely/clearly mandated at least one of 
Content-Length and chunked encoding.

>> In any situation, the receiver should be able to recover from error 
>> input.
> If HTTP message boundaries aren't clear, it opens a whole bunch of
> security holes.  Especially, connections from proxies may carry
> messages from multiple unrelated users at the same time.
> -- Jamie 
Received on Sunday, 25 January 2009 20:05:15 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:48 UTC