- From: Willy Tarreau <w@1wt.eu>
- Date: Fri, 29 May 2015 08:55:15 +0200
- To: Greg Wilkins <gregw@webtide.com>
- Cc: Adrien de Croy <adrien@qbik.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Fri, May 29, 2015 at 04:26:22PM +1000, Greg Wilkins wrote: > On 29 May 2015 at 16:03, Willy Tarreau <w@1wt.eu> wrote: > > > Not necessarily if everyone in the chain acts as specified both in 2616 > > and 7230 : response message doesn't contain a body *regardless of headers*. > > > except by definition this situation occurs when somebody in the chain is > acting NOT according to 2616/7230 and has either attached a body when they > should not have, or indicated a content-length when there is no content. > > My point is that it is dangerous to try to distinguish between those two > alternatives. Somebody in the chain is acting badly, so cut the chain! >From a spec interpretation perspective I disagree since if you look at the paragraph about message size, it's pretty clear that content-length doesn't matter for 204. *BUT* from a developer point of view, I cannot see a valid case where a 204 could contain a non-zero content-length, so I'd be tempted to explain that situation via a bug only, and then I agree with the principle of cutting the chain to prevent that bug from having nastier effects. The case where you'd find a transfer-encoding header could be slightly more difficult to sort out since you're supposed to ignore it with 204 though you don't know yet if you'll find some data, and a bogus server could unconditionally respond with 204+T-E and a zero-length chunk to mark the end of the body. In that case there's no risk of smuggling attack since the body will always start with hex digits, so there's no way they'll match "HTTP/1.1 <status>" and be confused with a second response. Cheers, Willy
Received on Friday, 29 May 2015 06:55:47 UTC