W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2021

#879: Should servers interpret Transfer-Encoding in 1.0 requests?

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 13 Jul 2021 17:43:28 +1000
Message-Id: <09EACA5C-E560-4C76-A596-8F7C3D890766@mnot.net>
To: HTTP Working Group <ietf-http-wg@w3.org>
<https://github.com/httpwg/http-core/issues/879>

Some security researchers have found what appears to be a situation where handling of Transfer-Encoding and Content-Length in a particular deployment can introduce a request smuggling vulnerability, even if the specification's requirements are followed closely. 

See the issue for details. The heart of the question at this point is whether we can strengthen (to a SHOULD or MUST) or otherwise qualify this 'ought':

> If a message is received with both a Transfer-Encoding and a Content-Length header field, the Transfer-Encoding overrides the Content-Length.  Such a message might indicate an attempt to perform request smuggling (Section 9.5) or response splitting (Section 9.4) and ought to be handled as an error.

Their research indicates that a number of servers don't reject such requests.

Could implementers take a look and weigh in (here or on the issue)?

Cheers,

--
Mark Nottingham   https://www.mnot.net/
Received on Tuesday, 13 July 2021 07:43:50 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 13 July 2021 07:43:53 UTC