W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

Re: [#95] Multiple Content-Lengths

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 18 Oct 2010 16:03:12 +1100
Cc: Julian Reschke <julian.reschke@gmx.de>, Maciej Stachowiak <mjs@apple.com>, Adam Barth <w3c@adambarth.com>, "William Chan (ι™ˆζ™Ίζ˜Œ)" <willchan@chromium.org>, "Roy T. Fielding" <fielding@gbiv.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <1CFD59F7-CFD3-4A4F-986D-0619F3CA2D14@mnot.net>
To: "Eric J. Bowman" <eric@bisonsystems.net>
http://www.securiteam.com/securityreviews/5CP0L0AHPC.html

Technique #2.


On 18/10/2010, at 4:00 PM, Eric J. Bowman wrote:

> Mark Nottingham wrote:
>> 
>>> We can't simply break formerly-conforming implementations.
>> 
>> We can if it's a security issue.
>> 
> 
> The security issue in question is "HTTP request smuggling" which is an
> attack vector which always takes the form of a malicious request from a
> user-agent.  All it is the other way around, is a broken server putting
> itself at risk.  There's no justification for a MUST even if there is
> consensus for it.
> 
> I thought the consensus the WG was after, was whether or not to discard
> all but the first C-L or the last C-L.  The current proposed language
> says read to connection close, instead.  This makes loads of sense to
> me, instead of MUST fail hard based on what concern, exactly?
> 
> -Eric

--
Mark Nottingham   http://www.mnot.net/
Received on Monday, 18 October 2010 05:03:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:29 GMT