Re: [NEW ISSUE] Content-Length and Transfer-Encoding: security implications

On ons, 2007-12-05 at 09:08 +1300, Adrien de Croy wrote:

> Wouldn't the best approach be to ban Transfer-Encoding from HTTP/1.0 
> clients?  Removing the Transfer-Encoding header in this case solves the 
> problem, as then the payload of the post is correctly encapsulated.

Yes, a SHOULD requirement that servers and clients SHOULD reject
HTTP/1.0 messages using chunked transfer-encoding as invalid would be a
good thing. Required to solve interoperability issues regarding these
requests when there is an HTTP/1.0 proxy in the path.

For a pure HTTP/1.1 path (or any path where there isn't an HTTP/1.0
proxy) the existing wording works.

Note: there is some servers out there in the whild who respond with both
Content-Length and chunked.. but probably not many...


Received on Thursday, 6 December 2007 03:10:47 UTC