- From: Jamie Lokier <jamie@shareable.org>
- Date: Thu, 18 Jan 2007 21:33:24 +0000
- To: Yves Lafon <ylafon@w3.org>
- Cc: Henrik Nordstrom <hno@squid-cache.org>, Mark Nottingham <mnot@mnot.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Yves Lafon wrote: > >Henrik Nordstrom wrote: > >>Hmm.. maybe there is also request smuggling attacks possible > >>here if there is some server/proxy software ignoring that there may be a > >>request body.. > > > >See also "Content-Length : 12345" (note the space). I think that is > >interpreted as a Content-Length header by some agents, and a > >"Content-Length " header by others (i.e. not implying a body), and > >disallowed as bad syntax by others. Ample opportunities for request > >smuggling. > > Alex Rousskov pointed out some time ago that it was covered by the spec in > 2.1, implied *LWS. > So it should always be interpreted as "Content-Length" In fact, Alex and I read the identical text and disagreed over whether it allows *LWS before the colon. (Which, by the way, means that text should be clarified in any new revision). But that's besides the point; what the spec covers is theoretical. In theory, there are no request smuggling attacks. As I recall, from looking at source code, actually deployed implementations interpret "Content-Length : 12345" in all the ways I described. See also " Content-Length: 12345" (space before the name) for additional surprises. -- Jamie
Received on Thursday, 18 January 2007 21:33:41 UTC