Re: "205" status code

Joris Dobbelsteen wrote:
> The 205 status MUST NOT contain a entity body and this includes NO
> "content-length" and "transfer-encoding" headers.
> 
> Referencing RFC2616.
> It is stated in 10.2.6 "205 Reset Content" as you described.
> 
> 4.4 "Message Length"
> Condition 1 states:
> Any response message which "MUST NOT" include a message body (...) is
> always terminated by the first empty line after the header fields,
> regradless of the entity-header fields present in the message.
> 
> (...) gives examples of such responses, it does NOT specify them.

4.3 "Message Body" DOES specify them completely:

   All 1xx (informational), 204 (no content), and 304 (not modified)
   responses MUST NOT include a message-body. All other responses do
   include a message-body, although it MAY be of zero length.

Note, "ALL OTHER responses...".

Also if you look at the texts for 204, 304 and 205 responses, you see
that 204 and 304 say "MUST NOT include a message-body", whereas 205
says "MUST NOT include an entity".  204 and 304 go on to say that the
message is terminated at the first empty line, but 205 does not say
that.

It's clear that the text for 205 was added at a different time and
perhaps written by a different author.

The important thing is, are there any servers which send 205 responses
and if so, what do they send?

It's a potential security hole if Apache and some other proxies
disagree over where to parse 205 message boundaries, because a
malicious server could generate 205s with a message-body.
Disagreement among proxies over how to parse boundaries could result
in response headers from a different (non-malicious) server being
forwarded to the wrong client, in other words one malicious
client-server pair could trigger unwanted effects or gain access to
private information between another client-server pair, if both pairs
share a common path between two proxies which disagree over 205
message boundaries.

-- Jamie

Received on Sunday, 19 September 2004 16:01:08 UTC