IETF Logo Mail Archive

Re: Sections 3.3.2 and 3.3.3 allow bogus Content-Length?

"Adrien de Croy" <adrien@qbik.com> Wed, 15 February 2017 01:48 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CE61129493 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 14 Feb 2017 17:48:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s_xPCDJFZwC5 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 14 Feb 2017 17:48:39 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF0D5129486 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 14 Feb 2017 17:48:39 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cdoff-0003Oj-3s for ietf-http-wg-dist@listhub.w3.org; Wed, 15 Feb 2017 01:46:15 +0000
Resent-Date: Wed, 15 Feb 2017 01:46:15 +0000
Resent-Message-Id: <E1cdoff-0003Oj-3s@frink.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <adrien@qbik.com>) id 1cdofb-0003Ny-3n for ietf-http-wg@listhub.w3.org; Wed, 15 Feb 2017 01:46:11 +0000
Received: from smtp.qbik.com ([122.56.26.1]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_ARCFOUR_128_SHA1:128) (Exim 4.84_2) (envelope-from <adrien@qbik.com>) id 1cdofO-0008Aa-GF for ietf-http-wg@w3.org; Wed, 15 Feb 2017 01:46:02 +0000
Received: From [192.168.1.146] (unverified [192.168.1.146]) by SMTP Server [192.168.1.3] (WinGate SMTP Receiver v9.0.4 (Build 5915)) with SMTP id <0000964645@smtp.qbik.com>; Wed, 15 Feb 2017 14:45:28 +1300
From: Adrien de Croy <adrien@qbik.com>
To: Matthew Kerwin <matthew@kerwin.net.au>
Cc: Alex Rousskov <rousskov@measurement-factory.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Date: Wed, 15 Feb 2017 01:45:27 +0000
Message-Id: <eme1e3b988-5c11-4cc3-a930-bca665adceaf@bodybag>
In-Reply-To: <CACweHNBTqcjw=Qdu1mWTeosUMYt0B86xnH8VJoQBYvVMFmCQaw@mail.gmail.com>
References: <emdcb96fc0-0d2f-436c-9f1f-05beffe7593e@bodybag> <e01c4945-1116-d258-7004-ea917843bf3d@ninenines.eu> <ema747b801-6dcc-4b2d-ac95-9a027e10c0b4@bodybag> <7874c62b-c6a0-5d84-8115-20016b45118a@measurement-factory.com> <em541e3407-4e99-468e-a1e7-85a7bf074bdd@bodybag> <874938e6-2153-e02a-ab0e-814f468c58f8@measurement-factory.com> <em95b13204-3a33-4bd5-81d2-791e809b9cd2@bodybag> <0f12628c-ab62-22c2-2cf3-e4b456072597@measurement-factory.com> <emdcdebbb8-1ff5-4139-b8f2-409fe94eb6e8@bodybag> <CACweHNBTqcjw=Qdu1mWTeosUMYt0B86xnH8VJoQBYvVMFmCQaw@mail.gmail.com>
Reply-To: Adrien de Croy <adrien@qbik.com>
User-Agent: eM_Client/7.0.27943.0
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="------=_MB2ECB4979-F751-41AF-80C0-DC50D98D9406"
Received-SPF: pass client-ip=122.56.26.1; envelope-from=adrien@qbik.com; helo=smtp.qbik.com
X-W3C-Hub-Spam-Status: No, score=-4.6
X-W3C-Hub-Spam-Report: AWL=-0.689, BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1cdofO-0008Aa-GF 4c00ed3da8c40a4aeab2be9043fd1f0a
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Sections 3.3.2 and 3.3.3 allow bogus Content-Length?
Archived-At: <http://www.w3.org/mid/eme1e3b988-5c11-4cc3-a930-bca665adceaf@bodybag>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33517
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>


Maybe this discussion is indicative of the underlying problems in the 
(lack of?) definition, which results in things like browsers accepting 
smaller payloads than advertised without complaining.


If we turn it around, under what circumstances could we consider that

a user-agent emitting a request message which includes a Content-Length 
header whose value is greater than the number of bytes it then transmits 
after the headers

Is not an error condition, or that the message should be processed as if 
it were complete?



I also wonder whether we would be having a similar discussion on the TLS 
WG about record lengths.

When security is at stake I thought we tended to take a firmer stand.


It seems from the language in 3.3.3 par 4 that the intention is that the 
C-L MUST match the body payload size.

The language in 3.3.2 however does not reinforce this.

Adrien



------ Original Message ------
From: "Matthew Kerwin" <matthew@kerwin.net.au>
To: "Adrien de Croy" <adrien@qbik.com>
Cc: "Alex Rousskov" <rousskov@measurement-factory.com>; 
"ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Sent: 15/02/2017 2:18:43 PM
Subject: Re: Sections 3.3.2 and 3.3.3 allow bogus Content-Length?

>
>
>On 15 February 2017 at 10:42, Adrien de Croy <adrien@qbik.com> wrote:
>>
>>
>>------ Original Message ------
>>From: "Alex Rousskov" <rousskov@measurement-factory.com 
>><mailto:rousskov@measurement-factory.com>>
>>To: "Adrien de Croy" <adrien@qbik.com>; "ietf-http-wg@w3.org" 
>><ietf-http-wg@w3.org>
>>Sent: 15/02/2017 1:32:04 PM
>>Subject: Re: Sections 3.3.2 and 3.3.3 allow bogus Content-Length?
>>
>>>On 02/14/2017 04:18 PM, Adrien de Croy wrote:
>>>
>>>>  The only true size of a body is what you obtain by counting its 
>>>>bytes.
>>>
>>>I disagree. The only true size of a body is the Content-Length value 
>>>(in
>>>relevant contexts).
>>
>>What about for a sender piecing a message together.  Where does 
>>Content-Length come from?
>>
>>The content existed before you derived or obtained its length.
>>
>
>When we say "content" do we mean content of the message, content of the 
>representation, or content of the resource? I've always taken 
>content-length to mean the content of the representation[*] -- which, 
>since the demise of T-E, basically means message payload.
>
>When we say "body", I hope we're all always talking about message 
>payload. (i.e.: representation · Range · T-E)
>
>Reasoning about the _resource_ (including file size) is the purview of 
>the application, outside of HTTP transport or semantics. At least, 
>that's how it looks from my ivory tower.
>
>[*] something something Range something
>
>Cheers
>--
>   Matthew Kerwin
>   http://matthew.kerwin.net.au/

v2.23.0 | Report a Bug | By Email