IETF Logo Mail Archive

Re: Sections 3.3.2 and 3.3.3 allow bogus Content-Length?

Jacob Champion <champion.p@gmail.com> Tue, 14 February 2017 22:46 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F6E3129956 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 14 Feb 2017 14:46:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.502
X-Spam-Level:
X-Spam-Status: No, score=-6.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nvNyfI3_iOSc for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 14 Feb 2017 14:46:41 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 646DC12943C for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 14 Feb 2017 14:46:41 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cdlpe-0006oL-Dm for ietf-http-wg-dist@listhub.w3.org; Tue, 14 Feb 2017 22:44:22 +0000
Resent-Date: Tue, 14 Feb 2017 22:44:22 +0000
Resent-Message-Id: <E1cdlpe-0006oL-Dm@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <champion.p@gmail.com>) id 1cdlpa-0006mg-G7 for ietf-http-wg@listhub.w3.org; Tue, 14 Feb 2017 22:44:18 +0000
Received: from mail-it0-f44.google.com ([209.85.214.44]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <champion.p@gmail.com>) id 1cdlpU-00083I-9Q for ietf-http-wg@w3.org; Tue, 14 Feb 2017 22:44:13 +0000
Received: by mail-it0-f44.google.com with SMTP id k200so21592485itb.1 for <ietf-http-wg@w3.org>; Tue, 14 Feb 2017 14:43:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=6ezJ0wVJxbEvrYgqqiROIQ82XCQ9TxorI8por87q0nM=; b=Mp92wEbwmk6JEZ8WO20hhScLzrCddr82cRIxSOe3SAbBiSrCY9qjl5VZSOXy3NpvEF Mu8s6YCafzVc0I5gyUMz2KmvNZA4MZ9tVFSDvfduKqWJqiKAMMEnzAyXaKn7osaqDKky cwysrgekSgUhXmvSUpSe82JwLfTx8qtrSWETNTffM+7/S24v7nfzse0xb6wDnQD0+fyS Agrx/lut/8UpUFEj3LOm9oipRuhGj9c6m7CFNwpGWcyxEBPCZot3gV4Ku+ey6ERGZ5Q6 EQ2GQUgYxhWF8defUe53NODei2n69kk05raoSvMBtsEszWYlckLoXGNLxHWYryg8s/yP 2CoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=6ezJ0wVJxbEvrYgqqiROIQ82XCQ9TxorI8por87q0nM=; b=sVTq6QrLNvo/5Il2PSe8InAGDoI38ErQTECQLz4H2aY6abFzZ7+eo+QIbaaIoTfLKP CiMTv4xrzOZ6TLeo7rpIHjkTkXsTkuJY1cmiNvLdo/0uOUcarq02U7dcQ74LSbtHvK+I x2NWK/cjPNI38ZMoKAFfWmFlrSeYYpKFGugQZVxDzv7hrJeYvWx820BQnpYIL6+jSU8y bUy5UnUInHugAy9W1X+cqLR3BH+k9H6veEBJw7vTRJ/NQQGFMZiWysrxcYhCUtQsh1xA 6gUbjcNF7tYM4ofujSVl2AJTv6nNwrU4KeuObOCKiRdGngK3alz3wBSy03prolT4CgAh JzHg==
X-Gm-Message-State: AMke39kqyJ3oKc7NblNAfEdmFSBcH08MGbsCSTc8TXeJiPAtceFEe7/chnz6x9yzCuTJPA==
X-Received: by 10.99.95.87 with SMTP id t84mr35034063pgb.209.1487112225059; Tue, 14 Feb 2017 14:43:45 -0800 (PST)
Received: from [192.168.1.2] (50-39-112-180.bvtn.or.frontiernet.net. [50.39.112.180]) by smtp.gmail.com with ESMTPSA id e90sm3159655pfl.32.2017.02.14.14.43.44 for <ietf-http-wg@w3.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Feb 2017 14:43:44 -0800 (PST)
To: ietf-http-wg@w3.org
References: <emdcb96fc0-0d2f-436c-9f1f-05beffe7593e@bodybag> <e01c4945-1116-d258-7004-ea917843bf3d@ninenines.eu> <ema747b801-6dcc-4b2d-ac95-9a027e10c0b4@bodybag> <20170214220504.GC30715@1wt.eu> <em50e83819-e706-444a-bfa2-ef7a4ee8e4fd@bodybag>
From: Jacob Champion <champion.p@gmail.com>
Message-ID: <6e538bd1-4731-f8e3-d1a5-2fe054fd2e33@gmail.com>
Date: Tue, 14 Feb 2017 14:43:43 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <em50e83819-e706-444a-bfa2-ef7a4ee8e4fd@bodybag>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=209.85.214.44; envelope-from=champion.p@gmail.com; helo=mail-it0-f44.google.com
X-W3C-Hub-Spam-Status: No, score=-5.9
X-W3C-Hub-Spam-Report: AWL=-1.640, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1cdlpU-00083I-9Q 7eff38faf67642c5520726d4594bad72
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Sections 3.3.2 and 3.3.3 allow bogus Content-Length?
Archived-At: <http://www.w3.org/mid/6e538bd1-4731-f8e3-d1a5-2fe054fd2e33@gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33504
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 02/14/2017 02:13 PM, Adrien de Croy wrote:
>> In fact that's not true. It's not the content-length that matches the
>> body size, it's the body which ends after the content-length. So whatever
>> numeric value >= 0 is indeed valid *and* defines the body size.
> I think there's an argument you could make against this.
>
> If the C-L is smaller than the transmitted body, then the remainder
> after C-L bytes is processed as an invalid new request, or maybe
> smuggling request.
>
> If the C-L is larger than the transmitted body then the message is
> incomplete.  In a response message the connection would need to be
> closed, and in a request message there's no recovery from this.

I think Willy's point is that, from a protocol perspective, C-L 
*defines* the body (for the types of messages we're discussing here). 
It's not possible to transmit a body -- for HTTP's definition of "body" 
-- that is "smaller" or "larger" than the C-L. In one case, the endpoint 
runs out of bytes to read and eventually times out. In the other, it 
reaches the end of the body, and now there happens to be junk data at 
the start of the next received message.

> An implementation may choose to just truncate the message at C-L bytes
> of body, but this is an implementation decision, not necessarily a
> specification?

Well, there's this part of 3.3.3:

    If the final response to the last request on a connection has been
    completely received and there remains additional data to read, a user
    agent MAY discard the remaining data or attempt to determine if that
    data belongs as part of the prior response body, which might be the
    case if the prior message's Content-Length value is incorrect.  A
    client MUST NOT process, cache, or forward such extra data as a
    separate response, since such behavior would be vulnerable to cache
    poisoning.

which to me seems like a MAY that is doomed to fail in the general case. 
Broken pipelining, race conditions, cache poisoning...

--Jacob

v2.23.0 | Report a Bug | By Email