Re: 204 no content response with Content-Length header.

ok thanks

I guess the issue is that even if you ignore the Content-Length in the 
message, the framing on the stream is potentially broken, since if the 
emitter of the message decides to send a body of that length, you can't 
process it as another message.

Is this a potential smuggling attack of some sort?

Also whilst a 304 can update metadata and the Content-Length can be used 
to validate a stored entity, it's not clear 204 does.


------ Original Message ------
From: "Willy Tarreau" <>
To: "Adrien de Croy" <>
Cc: "HTTP Working Group" <>
Sent: 28/05/2015 11:58:06 p.m.
Subject: Re: 204 no content response with Content-Length header.

>Hi Adrien,
>On Thu, May 28, 2015 at 11:48:03AM +0000, Adrien de Croy wrote:
>>  Hi everyone.
>>  I'm seeing some responses coming back from a server with status code 
>>  and a non-zero Content-Length header.
>>  Since the spec says that 204 responses MUST not contain a body, and
>>  therefore are terminated by the first empty line, what should one 
>>  of the Content-Length header?
>>  Should we (in a proxy)
>>  a) ignore it and pass it to client
>>  b) strip it from message to client
>>  c) treat it as some meta data being communicated / updated
>>  d) something else
>In haproxy, we process them exactly like 304 which are defined pretty
>similarly, in that we ignore the content-length since the message 
>contain one. This is the behaviour defined in 7230#3.3.3 :
>    1.  Any response to a HEAD request and any response with a 1xx
>        (Informational), 204 (No Content), or 304 (Not Modified) status
>        code is always terminated by the first empty line after the
>        header fields, regardless of the header fields present in the
>        message, and thus cannot contain a message body.
>Please note the "regardless of the header fields present in the 
>this is the key here.
>Best regards,

Received on Thursday, 28 May 2015 12:06:00 UTC