- From: Peter <cnmjbm@gmail.com>
- Date: Sun, 25 Jan 2009 12:01:20 -0800
- To: <ietf-http-wg@w3.org>
- Cc: "Jamie Lokier" <jamie@shareable.org>
----- Original Message ----- From: "Jamie Lokier" <jamie@shareable.org> > The difference is that HTTP message boundaries (Content-Length etc.) > and <soap:Envelope> are normally parsed by different software. > > Message boundaries are parsed by proxies, and those should not have > any knowlege of <soap:Envelope> or other non-HTTP message boundary > terminators. Message boundaries are also often parsed by generic HTTP > agents, before passing individual messages to specific applications. I won't argue against the difference (software, agent, proxy or app implementation), but in TR-69 domain there seems no proxy between server and client. By the way, if in generic HTTP domains there is such security hole, either the application should not be extrally layered with a generic HTTP agent (library) or RFC should have precisely/clearly mandated at least one of Content-Length and chunked encoding. > >> In any situation, the receiver should be able to recover from error >> input. > > If HTTP message boundaries aren't clear, it opens a whole bunch of > security holes. Especially, connections from proxies may carry > messages from multiple unrelated users at the same time. > > -- Jamie
Received on Sunday, 25 January 2009 20:05:15 UTC