Re: A question about Content-Length header

----- Original Message ----- 
From: "Jamie Lokier" <>

> The difference is that HTTP message boundaries (Content-Length etc.)
> and <soap:Envelope> are normally parsed by different software.
> Message boundaries are parsed by proxies, and those should not have
> any knowlege of <soap:Envelope> or other non-HTTP message boundary
> terminators.  Message boundaries are also often parsed by generic HTTP
> agents, before passing individual messages to specific applications.

I won't argue against the difference (software, agent, proxy or app 
implementation), but in TR-69 domain there seems no proxy between server and 

By the way, if in generic HTTP domains there is such security hole, either 
the application should not be extrally layered with a generic HTTP agent 
(library) or RFC should have precisely/clearly mandated at least one of 
Content-Length and chunked encoding.

>> In any situation, the receiver should be able to recover from error 
>> input.
> If HTTP message boundaries aren't clear, it opens a whole bunch of
> security holes.  Especially, connections from proxies may carry
> messages from multiple unrelated users at the same time.
> -- Jamie 

Received on Sunday, 25 January 2009 20:05:15 UTC