W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2010

Re: [#95] Multiple Content-Lengths

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 20 Sep 2010 11:10:34 +0200
Message-ID: <4C97250A.4020206@gmx.de>
To: Anne van Kesteren <annevk@opera.com>
CC: Willy Tarreau <w@1wt.eu>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>, Roy Fielding <fielding@gbiv.com>
On 20.09.2010 10:50, Anne van Kesteren wrote:
> What exactly is the security issue then? Before I was told it's a
> potential security issue. If it's a security issue then the
> specification should probably not define recovery at all and user agents
> would have outstanding security advisories.

The security issue is that with conflicting length information, 
different recipients (proxies, user agents) may extract different 
payloads, *and* may differ in what part of the stream they use for the 
next message.

See <http://www.google.de/search?q=http+request+smuggling>.

The spec currently says that a message like this is broken. Origin 
servers are required to respond with 400 + closing the connection, 
clients are required to read until EOF + close the connection, plus 
signal an error.

The client behavior is some kind of recovery, and I'd be totally happy 
if we agreed that clients MUST NOT display the message. However I have 
my doubts that we can convince the browser implementers of that.

Best regards, Julian
Received on Monday, 20 September 2010 09:11:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:25 GMT