W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: legality of Transfer-Encoding: chunked bodies in HTTP/2

From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 8 Aug 2014 09:12:57 -0700
Message-ID: <CABkgnnWpYV4pBPw2goWtqDgRfwFeOo478s6RCwr3Q17xZ_nfng@mail.gmail.com>
To: Amos Jeffries <squid3@treenet.co.nz>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 8 August 2014 04:08, Amos Jeffries <squid3@treenet.co.nz> wrote:
>
> So the sender application just excludes Content-Length and
> chunked-encodes the representation. The framing layer DATA frames the
> chunks without inspecting to find where END_STREAM flag applies.
>
> * Applications (whether DoS generators or innocent bunglers) can now
> force recipients to hold onto HTTP/2 stream context indefinitely for up
> to 2^31-1 streams. Just by emitting chunked encoded byte stream for DATA
> encoding. It not being de-chunked to find the 0-chunk where END_STREAM
> applies.
>
> * request smugglers can now abuse h2->1.1 gateways. Just send without
> content-length and having a "0\r\n" prefix on the 1.1 message smuggled
> inside DATA.

The complete opposite in fact.  If you pack chunked encoding in, then
that is (likely) garbage.  That's all.
Received on Friday, 8 August 2014 16:13:25 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:10 UTC