Re: i19 Bodies on GET (and other) requests

tis 2007-01-16 klockan 01:06 +0100 skrev Henrik Nordstrom:
> The perhaps biggest problem, apart from some implementations blocking
> such requests as "nonsense use of HTTP" is that it may be used as a
> covert channel to smuggle data out from a network. But there is a large
> number of those in HTTP and related services so not that big of a
> problem..  Hmm.. maybe there is also request smuggling attacks possible
> here if there is some server/proxy software ignoring that there may be a
> request body..

Hmm.. looked back a bit in my notes and find the latter to be the reason
why Squid still rejects such messages by default, protecting the cache
from request splitting attacks.. Our configuration notes even reads


        Squid defaults to deny GET and HEAD requests with request entities,
        as the meaning of such requests are undefined in the HTTP standard
        even if not explicitly forbidden.

        Set this directive to on if you have clients which insists
        on sending request entities in GET or HEAD requests. But be warned
        that there is server software (both proxies and web servers) which
        can fail to properly process this kind of request which may make you
        vulnerable to cache pollution attacks if enabled.

Note: details on what software the above refers to have unfortunately
been lost over the years.

As a special case "Content-Length: 0" request messages is not restricted
by this directive as they are safe from the request injection problem (a
bit hard to fit a new request in 0 octets).


Received on Tuesday, 16 January 2007 01:02:18 UTC