- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Mon, 20 Sep 2010 11:10:34 +0200
- To: Anne van Kesteren <annevk@opera.com>
- CC: Willy Tarreau <w@1wt.eu>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>, Roy Fielding <fielding@gbiv.com>
On 20.09.2010 10:50, Anne van Kesteren wrote: > What exactly is the security issue then? Before I was told it's a > potential security issue. If it's a security issue then the > specification should probably not define recovery at all and user agents > would have outstanding security advisories. The security issue is that with conflicting length information, different recipients (proxies, user agents) may extract different payloads, *and* may differ in what part of the stream they use for the next message. See <http://www.google.de/search?q=http+request+smuggling>. The spec currently says that a message like this is broken. Origin servers are required to respond with 400 + closing the connection, clients are required to read until EOF + close the connection, plus signal an error. The client behavior is some kind of recovery, and I'd be totally happy if we agreed that clients MUST NOT display the message. However I have my doubts that we can convince the browser implementers of that. Best regards, Julian
Received on Monday, 20 September 2010 09:11:09 UTC