W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: legality of Transfer-Encoding: chunked bodies in HTTP/2

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Fri, 08 Aug 2014 23:08:11 +1200
Message-ID: <53E4AF9B.3020008@treenet.co.nz>
To: ietf-http-wg@w3.org
On 8/08/2014 6:50 p.m., Mark Nottingham wrote:
> Indeed. From <http://tools.ietf.org/html/draft-ietf-httpbis-http2-14#section-8.1>:
> 
>>   3.  zero or more DATA frames containing the message payload (see [RFC7230], Section 3.3)
> 
> "payload" is a very specific term, and it is *not* processed for chunks.
> 

Excellent.

So the sender application just excludes Content-Length and
chunked-encodes the representation. The framing layer DATA frames the
chunks without inspecting to find where END_STREAM flag applies.

* Applications (whether DoS generators or innocent bunglers) can now
force recipients to hold onto HTTP/2 stream context indefinitely for up
to 2^31-1 streams. Just by emitting chunked encoded byte stream for DATA
encoding. It not being de-chunked to find the 0-chunk where END_STREAM
applies.

* request smugglers can now abuse h2->1.1 gateways. Just send without
content-length and having a "0\r\n" prefix on the 1.1 message smuggled
inside DATA.

Amos
Received on Friday, 8 August 2014 11:08:49 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:10 UTC