- From: Willy Tarreau <w@1wt.eu>
- Date: Fri, 29 May 2015 08:03:51 +0200
- To: Greg Wilkins <gregw@webtide.com>
- Cc: Adrien de Croy <adrien@qbik.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Fri, May 29, 2015 at 12:40:34PM +1000, Greg Wilkins wrote: > Surely that connection is terminal and must be closed. It is impossible > for the proxy to determine if the origin server has erred by adding a > content-length when there is no body or by adding a body to a 204 when it > should not have. If it ignores the body indicated by the content-length > then it will be vulnerable to a smuggling attack. Not necessarily if everyone in the chain acts as specified both in 2616 and 7230 : response message doesn't contain a body *regardless of headers*. Cheers, Willy
Received on Friday, 29 May 2015 06:04:25 UTC