Re: i19 Bodies on GET (and other) requests

Yves Lafon wrote:
> >Henrik Nordstrom wrote:
> >>Hmm.. maybe there is also request smuggling attacks possible
> >>here if there is some server/proxy software ignoring that there may be a
> >>request body..
> >
> >See also "Content-Length : 12345" (note the space).  I think that is
> >interpreted as a Content-Length header by some agents, and a
> >"Content-Length " header by others (i.e. not implying a body), and
> >disallowed as bad syntax by others.  Ample opportunities for request
> >smuggling.
> Alex Rousskov pointed out some time ago that it was covered by the spec in 
> 2.1, implied *LWS.
> So  it should always be interpreted as "Content-Length"

In fact, Alex and I read the identical text and disagreed over whether
it allows *LWS before the colon.

(Which, by the way, means that text should be clarified in any new revision).

But that's besides the point; what the spec covers is theoretical.  In
theory, there are no request smuggling attacks.

As I recall, from looking at source code, actually deployed
implementations interpret "Content-Length : 12345" in all the ways I
described.  See also " Content-Length: 12345" (space before the name)
for additional surprises.

-- Jamie

Received on Thursday, 18 January 2007 21:33:41 UTC