- From: Yutaka OIWA <y.oiwa@aist.go.jp>
- Date: Wed, 05 Dec 2007 03:28:35 +0900
- To: ietf-http-wg <ietf-http-wg@w3.org>
Dear members,
This is a security problem related to issue #93 and my previous mail
([NEW ISSUE] Content-Length and Transfer-Encoding: security implications).
Many servers and proxies accept messages containing two Content-Length:
headers in different manners: some interpret the first header, and some
do the latter. This has caused "request/response smuggling attacks",
when any pair of the server, the proxy, and the clients involved are
interpreting those differently. The outcome of the attack is severe: it
allows cross-site content injection. To fix this, I recommend to add the
following note to the specification.
> Messages MUST NOT include any hop-to-hop header twice. When the server
> received such a request, it MUST respond with 400 (Bad Request) and
> close the connection. When the client received such a response, it MUST
> discard the response and close the connection. The client MUST NOT
> accept any responses which follow such an invalid response in a
> keep-alive connection.
The requirement words may be "SHOULD" and "SHOULD NOT", and the restricted
headers can be limited to Connection, Transfer-Encoding, and Content-length.
--
Yutaka OIWA, Ph.D. Research Scientist
Research Center for Information Security (RCIS)
National Institute of Advanced Industrial Science and Technology (AIST)
Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[995DD3E1] fp[3C21 17D0 D953 77D3 02D7 4FEC 4754 40C1 995D D3E1]
Received on Tuesday, 4 December 2007 18:28:49 UTC