W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2011

Re: [#95] Multiple Content-Lengths

From: Willy Tarreau <w@1wt.eu>
Date: Thu, 10 Mar 2011 00:10:03 +0100
To: Adrien de Croy <adrien@qbik.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20110309231003.GF29190@1wt.eu>
On Thu, Mar 10, 2011 at 11:55:31AM +1300, Adrien de Croy wrote:
> What should a proxy do?  It has the task of putting something together 
> to send a client.
> 
> it seems to me the only safe option is a.  It's also the only option 
> that provides any incentive for people to fix their sites.

The problem is that it does not work. When you go deploying your
appliance at a large customer and some applications don't work
behind it, whatever the bugs on the applications, the customer
only says your appliance does not work while many other products
do work there. That's why we got so many diverging workarounds
for many issues. Everything that is declared illegal will still
be done in a random way :-/

I even have one example. I had haproxy deployed at a bank and which
was blocking a few invalid responses which contained a header named
"Content/type". Guess what ? They disabled HTTP processing and only
used TCP until I was able to provide an option with a scary name to
relax the header parser, because fixing the app was expected to take
6 months (and it did take more).

I'd really like that standards propose hints for how to handle
exceptions when there's no alternative, without creating vulnerabilities
and without having all products behave differently.

Content smuggling exists precisely because everyone had to find a
different solution to an issue that was not considered something
that had to be handled at one point.

Regards,
Willy
Received on Wednesday, 9 March 2011 23:10:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:37 GMT