W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Security concern about open range integers (was: Question about: 4.1.1 Integer representation)

From: Willy Tarreau <w@1wt.eu>
Date: Mon, 21 Oct 2013 07:20:58 +0200
To: Roberto Peon <grmocg@gmail.com>
Cc: Frédéric Kayser <f.kayser@free.fr>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20131021052058.GF22747@1wt.eu>
On Sun, Oct 20, 2013 at 05:23:50PM -0700, Roberto Peon wrote:
> If any value is too large, the connection should be torn down.
> The definition of 'too large' depends utterly on details that we cannot
> predict.

And we already have the case with chunks in HTTP/1.1 which can cause a
connection to be suddenly broken because an implementation cannot parse
too large a value.

Cheers,
Willy
Received on Monday, 21 October 2013 05:21:23 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:18 UTC