- From: Mark Nottingham <mnot@mnot.net>
- Date: Tue, 13 Jul 2021 17:43:28 +1000
- To: HTTP Working Group <ietf-http-wg@w3.org>
<https://github.com/httpwg/http-core/issues/879> Some security researchers have found what appears to be a situation where handling of Transfer-Encoding and Content-Length in a particular deployment can introduce a request smuggling vulnerability, even if the specification's requirements are followed closely. See the issue for details. The heart of the question at this point is whether we can strengthen (to a SHOULD or MUST) or otherwise qualify this 'ought': > If a message is received with both a Transfer-Encoding and a Content-Length header field, the Transfer-Encoding overrides the Content-Length. Such a message might indicate an attempt to perform request smuggling (Section 9.5) or response splitting (Section 9.4) and ought to be handled as an error. Their research indicates that a number of servers don't reject such requests. Could implementers take a look and weigh in (here or on the issue)? Cheers, -- Mark Nottingham https://www.mnot.net/
Received on Tuesday, 13 July 2021 07:43:50 UTC