(issue 95) - security considerations

The way I see it, double Content-Length is an instance of a more generic 
failure to follow RFC 2616 section 4.2, which reads:

Multiple message-header fields with the same field-name MAY be present 
in a message if and only if the entire field-value for that header field 
is defined as a comma-separated list [i.e., #(values)]. It MUST be 
possible to combine the multiple header fields into one "field-name: 
field-value" pair, without changing the semantics of the message, by 
appending each subsequent field-value to the first, each separated by a 
comma. The order in which header fields with the same field-name are 
received is therefore significant to the interpretation of the combined 
field value, and thus a proxy MUST NOT change the order of these field 
values when a message is forwarded.

Now, since Content-Length's field-value is not a comma separated list, 
it follows that Content-Length should never be sent twice. As well as 
many other headers. Perhaps it's simply worth mentioning explicitly in 
the RFC?!


Received on Thursday, 11 September 2008 19:07:15 UTC