- From: Adrien de Croy <adrien@qbik.com>
- Date: Wed, 05 Dec 2007 07:55:40 +1300
- To: 'HTTP Working Group' <ietf-http-wg@w3.org>
Yutaka OIWA wrote: > > Imagine that there is the following request stream: > > POST /a HTTP/1.0 > Host: hostname.domain.name.jp > User-Agent: Mozilla/5.0 (X11; U; Linux i686; ja-JP; rv:1.7.8) Gecko/20050513 > bian/1.7.8-1 > Keep-Alive: 300 > Connection: keep-alive > Transfer-Encoding: chunked > Content-Type: text/xml > Content-Length: 113 > > 0 > > POST /~yutaka/cgi-bin/test2.cgi?exploit=yes HTTP/1.0 > Host: hostname.domain.name.jp > Content-Length: 500 > > If a request like this were to be sent through an HTTP/1.1 capable proxy which behaves according to the recommendations of the spec, the proxy would likely turn this into an HTTP/1.1 request upstream. e.g. the case where one sends POST http://hostname.domain.name.jp/a HTTP/1.0 Host: hostname.domain.name.jp User-Agent: Mozilla/5.0 (X11; U; Linux i686; ja-JP; rv:1.7.8) Gecko/20050513 bian/1.7.8-1 Keep-Alive: 300 Connection: keep-alive Transfer-Encoding: chunked Content-Type: text/xml Content-Length: 113 0 POST /~yutaka/cgi-bin/test2.cgi?exploit=yes HTTP/1.1 Host: hostname.domain.name.jp Content-Length: 500 to a proxy, would cause most proxies (unless they explicitly check for this) to send 2 POST requests to that server. Does this mean there should (if there are no further recommendations made for servers / UAs) at least be some requirements specified for proxies in this case? e.g a proxy must not change the meaning of request headers (in this case Transfer-encoding) by virtue of simply forwarding the request with a different HTTP version tag. Regards Adrien -- Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Tuesday, 4 December 2007 18:55:00 UTC