Re: "205" status code from Roy T. Fielding on 2004-09-19 (ietf-http-wg@w3.org from July to September 2004)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Sun, 19 Sep 2004 13:06:16 -0700
To: Jamie Lokier <jamie@shareable.org>
Cc: ietf-http-wg@w3.org, Joe Orton <joe@manyfish.co.uk>, Joris Dobbelsteen <joris.dobbelsteen@mail.com>
Message-Id: <5D1EEE58-0A77-11D9-81CB-000393753936@gbiv.com>

> 4.3 "Message Body" DOES specify them completely:
>
>    All 1xx (informational), 204 (no content), and 304 (not modified)
>    responses MUST NOT include a message-body. All other responses do
>    include a message-body, although it MAY be of zero length.
>
> Note, "ALL OTHER responses...".
>
> Also if you look at the texts for 204, 304 and 205 responses, you see
> that 204 and 304 say "MUST NOT include a message-body", whereas 205
> says "MUST NOT include an entity".  204 and 304 go on to say that the
> message is terminated at the first empty line, but 205 does not say
> that.
>
> It's clear that the text for 205 was added at a different time and
> perhaps written by a different author.

No.  Think about it a little.  There are existing status codes that
everyone knows about, and then there are extension codes that were
added later.  How are the existing, deployed systems going to know
about the semantics of 205 when they were deployed prior to its
definition?  They can't.  That is why there are exceptions for old,
pre-existing, abnormal status codes, and no other exceptions because
later extensions must be self-descriptive.

> The important thing is, are there any servers which send 205 responses
> and if so, what do they send?

If they don't send "Content-length: 0", they are broken.

> It's a potential security hole if Apache and some other proxies
> disagree over where to parse 205 message boundaries, because a
> malicious server could generate 205s with a message-body.
> Disagreement among proxies over how to parse boundaries could result
> in response headers from a different (non-malicious) server being
> forwarded to the wrong client, in other words one malicious
> client-server pair could trigger unwanted effects or gain access to
> private information between another client-server pair, if both pairs
> share a common path between two proxies which disagree over 205
> message boundaries.

Only if the proxy had pipelined requests from different clients
on the same connection, which is a pretty far-fetched theory.
It certainly isn't a security hole, since the HTTP messages are
already being sent in the clear over the Internet for anyone to see
(TLS/SSL connections are never shared).

....Roy

Received on Sunday, 19 September 2004 20:06:48 UTC