W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2010

Re: "actual content length", was: Handling multiple headers when only one is allowed

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 11 Jun 2010 15:32:53 +0200
Message-ID: <4C123B05.2040003@gmx.de>
To: Adrien de Croy <adrien@qbik.com>
CC: Dan Winship <dan.winship@gmail.com>, Bil Corry <bil@corry.biz>, HTTP Working Group <ietf-http-wg@w3.org>, Michal Zalewski <lcamtuf@google.com>, Jeff Hodges <Jeff.Hodges@KingsMountain.com>, Adam Barth <ietf@adambarth.com>, "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
On 11.06.2010 15:24, Adrien de Croy wrote:
> I raised this problem a while back.
> All the browsers except Opera (limited case) make no complaint when a
> download is truncated. This is whether it's chunked and doesn't receive
> a final 0 chunk, or whether there's a content length and the connection
> is closed (whether or not the server indicated it would close) prior to
> that many bytes being transferred.
> I personally view this as highly problematic, and it's tied in with the
> work I've been doing recently with scanning at a proxy.
> The reason it's problematic, is because every single proxy I've tested
> (TMG/ISA, WinRoute, WinGate, Webmarshall - admittedly there are many
> more) does something called either "drip-feeding" or "trickling". If
> you're downloading a file through one of these proxies, they will send
> you a portion of the resource as it's coming down to the proxy. When the
> proxy has received the whole file, it scans it and sends the rest if
> it's ok, but if it's not ok, it has 1 option only - abort the connection.
> Since the browsers ignore the connection having been aborted, and
> present the downloaded file as if nothing was wrong, then any malware
> purveyor need only pad their malware out, so that the executable part
> will fall within the drip-feeding window. It basically renders AV at
> gateway potentially useless.
> If OTOH the browsers were to act on the fact that the download was
> aborted, this wouldn't be nearly as big a security risk.
> Regards
> Adrien

+1 to all of this (the problem also applies to cases where the server 
breaks while sending the content).

Do we have a test case for this? For the browsers that get this wrong, 
are there bug reports?

Best regards, Julian
Received on Friday, 11 June 2010 13:33:36 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:53 UTC