W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

Re: [#95] Multiple Content-Lengths

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Tue, 12 Oct 2010 22:56:05 +0200
To: Adrien de Croy <adrien@qbik.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <nhi9b69b0vb9f859q5t2euo0u88c18bqpv@hive.bjoern.hoehrmann.de>
* Adrien de Croy wrote:
>I agree.  The current spec presumes it's an innocent error that a 
>Content-Length header sneaked in, and really it's meant to be chunked if 
>there's a Transfer-Encoding: chunked header.
>
>However for any other problem scenario, this leads to other issues which 
>show up as malformed chunks if you're lucky.
>
>I'm struggling to see how this could be used in an attack though.

If all participants in a HTTP communication agree that the messages are
delimited by the lengths indicated for the chunks (or by the length in
the Content-Length header) then there is no problem, but if some use the
Content-Length headers while others use the chunks the framing is broken
and an attacker may be able to get some of the participants to treat the
entity body of a message as request or response.

Using both is already forbidden and what to do if you do not want to
abort the connection is also well-defined. That HTTP implementations may
also abort a connection if they feel like it is already clear, so there
does not seem to be anything that needs changing (and a requirement to
abort the connection would probably be widely ignored at least for some
time).
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Tuesday, 12 October 2010 20:56:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:28 GMT