Re: Security concern about open range integers (was: Question about: 4.1.1 Integer representation) from Willy Tarreau on 2013-10-21 (ietf-http-wg@w3.org from October to December 2013)

From: Willy Tarreau <w@1wt.eu>
Date: Mon, 21 Oct 2013 07:20:58 +0200
To: Roberto Peon <grmocg@gmail.com>
Cc: Frédéric Kayser <f.kayser@free.fr>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20131021052058.GF22747@1wt.eu>

On Sun, Oct 20, 2013 at 05:23:50PM -0700, Roberto Peon wrote:
> If any value is too large, the connection should be torn down.
> The definition of 'too large' depends utterly on details that we cannot
> predict.

And we already have the case with chunks in HTTP/1.1 which can cause a
connection to be suddenly broken because an implementation cannot parse
too large a value.

Cheers,
Willy

Received on Monday, 21 October 2013 05:21:23 UTC