- From: Mark Nottingham <mnot@mnot.net>
- Date: Fri, 23 Jul 2021 11:56:51 +1000
- To: HTTP Working Group <ietf-http-wg@w3.org>
We seem to have converged on a resolution here: https://github.com/httpwg/http-core/pull/905 Please take a look and if you have questions, comments or objections, let us know. Cheers, > On 13 Jul 2021, at 5:43 pm, Mark Nottingham <mnot@mnot.net> wrote: > > <https://github.com/httpwg/http-core/issues/879> > > Some security researchers have found what appears to be a situation where handling of Transfer-Encoding and Content-Length in a particular deployment can introduce a request smuggling vulnerability, even if the specification's requirements are followed closely. > > See the issue for details. The heart of the question at this point is whether we can strengthen (to a SHOULD or MUST) or otherwise qualify this 'ought': > >> If a message is received with both a Transfer-Encoding and a Content-Length header field, the Transfer-Encoding overrides the Content-Length. Such a message might indicate an attempt to perform request smuggling (Section 9.5) or response splitting (Section 9.4) and ought to be handled as an error. > > Their research indicates that a number of servers don't reject such requests. > > Could implementers take a look and weigh in (here or on the issue)? > > Cheers, > > -- > Mark Nottingham https://www.mnot.net/ > > -- Mark Nottingham https://www.mnot.net/
Received on Friday, 23 July 2021 01:57:10 UTC