W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: A question about Content-Length header

From: Peter <cnmjbm@gmail.com>
Date: Sun, 25 Jan 2009 12:01:20 -0800
Message-ID: <91EC698D6CD04F8283EA8A42D8714F22@XP4ANDROID>
To: <ietf-http-wg@w3.org>
Cc: "Jamie Lokier" <jamie@shareable.org>


----- Original Message ----- 
From: "Jamie Lokier" <jamie@shareable.org>

> The difference is that HTTP message boundaries (Content-Length etc.)
> and <soap:Envelope> are normally parsed by different software.
>
> Message boundaries are parsed by proxies, and those should not have
> any knowlege of <soap:Envelope> or other non-HTTP message boundary
> terminators.  Message boundaries are also often parsed by generic HTTP
> agents, before passing individual messages to specific applications.

I won't argue against the difference (software, agent, proxy or app 
implementation), but in TR-69 domain there seems no proxy between server and 
client.

By the way, if in generic HTTP domains there is such security hole, either 
the application should not be extrally layered with a generic HTTP agent 
(library) or RFC should have precisely/clearly mandated at least one of 
Content-Length and chunked encoding.

>
>> In any situation, the receiver should be able to recover from error 
>> input.
>
> If HTTP message boundaries aren't clear, it opens a whole bunch of
> security holes.  Especially, connections from proxies may carry
> messages from multiple unrelated users at the same time.
>
> -- Jamie 
Received on Sunday, 25 January 2009 20:05:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT