- From: Mark Nottingham <mnot@mnot.net>
- Date: Fri, 4 Jan 2008 21:00:15 +1100
- To: Yutaka OIWA <y.oiwa@aist.go.jp>
- Cc: ietf-http-wg <ietf-http-wg@w3.org>
Now issue 95; <http://www3.tools.ietf.org/wg/httpbis/trac/ticket/95> On 05/12/2007, at 5:28 AM, Yutaka OIWA wrote: > > Dear members, > > This is a security problem related to issue #93 and my previous mail > ([NEW ISSUE] Content-Length and Transfer-Encoding: security > implications). > > Many servers and proxies accept messages containing two Content- > Length: > headers in different manners: some interpret the first header, and > some > do the latter. This has caused "request/response smuggling attacks", > when any pair of the server, the proxy, and the clients involved are > interpreting those differently. The outcome of the attack is > severe: it > allows cross-site content injection. To fix this, I recommend to > add the > following note to the specification. > >> Messages MUST NOT include any hop-to-hop header twice. When the >> server >> received such a request, it MUST respond with 400 (Bad Request) and >> close the connection. When the client received such a response, it >> MUST >> discard the response and close the connection. The client MUST NOT >> accept any responses which follow such an invalid response in a >> keep-alive connection. > > The requirement words may be "SHOULD" and "SHOULD NOT", and the > restricted > headers can be limited to Connection, Transfer-Encoding, and Content- > length. > > -- > Yutaka OIWA, Ph.D. Research > Scientist > Research Center for Information Security > (RCIS) > National Institute of Advanced Industrial Science and Technology > (AIST) > Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp > > > OpenPGP: id[995DD3E1] fp[3C21 17D0 D953 77D3 02D7 4FEC 4754 40C1 > 995D D3E1] > > -- Mark Nottingham http://www.mnot.net/
Received on Friday, 4 January 2008 10:00:36 UTC