Re: i19 Bodies on GET (and other) requests

On Tue, 16 Jan 2007, Jamie Lokier wrote:

> Henrik Nordstrom wrote:
>> Hmm.. maybe there is also request smuggling attacks possible
>> here if there is some server/proxy software ignoring that there may be a
>> request body..
> See also "Content-Length : 12345" (note the space).  I think that is
> interpreted as a Content-Length header by some agents, and a
> "Content-Length " header by others (i.e. not implying a body), and
> disallowed as bad syntax by others.  Ample opportunities for request
> smuggling.

Alex Rousskov pointed out some time ago that it was covered by the spec in 
2.1, implied *LWS.
So  it should always be interpreted as "Content-Length"

Baroula que barouleras, au tiéu toujou t'entourneras.


Received on Wednesday, 17 January 2007 10:04:57 UTC