Re: [#95] Multiple Content-Lengths

* Adrien de Croy wrote:
>I agree.  The current spec presumes it's an innocent error that a 
>Content-Length header sneaked in, and really it's meant to be chunked if 
>there's a Transfer-Encoding: chunked header.
>However for any other problem scenario, this leads to other issues which 
>show up as malformed chunks if you're lucky.
>I'm struggling to see how this could be used in an attack though.

If all participants in a HTTP communication agree that the messages are
delimited by the lengths indicated for the chunks (or by the length in
the Content-Length header) then there is no problem, but if some use the
Content-Length headers while others use the chunks the framing is broken
and an attacker may be able to get some of the participants to treat the
entity body of a message as request or response.

Using both is already forbidden and what to do if you do not want to
abort the connection is also well-defined. That HTTP implementations may
also abort a connection if they feel like it is already clear, so there
does not seem to be anything that needs changing (and a requirement to
abort the connection would probably be widely ignored at least for some
Björn Höhrmann · ·
Am Badedeich 7 · Telefon: +49(0)160/4415681 ·
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · 

Received on Tuesday, 12 October 2010 20:56:49 UTC