Re: "actual content length", was: Handling multiple headers when only one is allowed

On 11.06.2010 15:24, Adrien de Croy wrote:
>
> I raised this problem a while back.
>
> All the browsers except Opera (limited case) make no complaint when a
> download is truncated. This is whether it's chunked and doesn't receive
> a final 0 chunk, or whether there's a content length and the connection
> is closed (whether or not the server indicated it would close) prior to
> that many bytes being transferred.
>
> I personally view this as highly problematic, and it's tied in with the
> work I've been doing recently with scanning at a proxy.
>
> The reason it's problematic, is because every single proxy I've tested
> (TMG/ISA, WinRoute, WinGate, Webmarshall - admittedly there are many
> more) does something called either "drip-feeding" or "trickling". If
> you're downloading a file through one of these proxies, they will send
> you a portion of the resource as it's coming down to the proxy. When the
> proxy has received the whole file, it scans it and sends the rest if
> it's ok, but if it's not ok, it has 1 option only - abort the connection.
>
> Since the browsers ignore the connection having been aborted, and
> present the downloaded file as if nothing was wrong, then any malware
> purveyor need only pad their malware out, so that the executable part
> will fall within the drip-feeding window. It basically renders AV at
> gateway potentially useless.
>
> If OTOH the browsers were to act on the fact that the download was
> aborted, this wouldn't be nearly as big a security risk.
>
> Regards
>
> Adrien

+1 to all of this (the problem also applies to cases where the server 
breaks while sending the content).

Do we have a test case for this? For the browsers that get this wrong, 
are there bug reports?

Best regards, Julian

Received on Friday, 11 June 2010 13:33:36 UTC