IETF Logo Mail Archive

Re: Sections 3.3.2 and 3.3.3 allow bogus Content-Length?

Willy Tarreau <w@1wt.eu> Tue, 14 February 2017 22:08 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA2031293EE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 14 Feb 2017 14:08:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WW7iqrEUd_nD for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 14 Feb 2017 14:08:08 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A7FB12940F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 14 Feb 2017 14:08:07 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cdlEL-0008Qq-BG for ietf-http-wg-dist@listhub.w3.org; Tue, 14 Feb 2017 22:05:49 +0000
Resent-Date: Tue, 14 Feb 2017 22:05:49 +0000
Resent-Message-Id: <E1cdlEL-0008Qq-BG@frink.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <w@1wt.eu>) id 1cdlEG-0008Py-AB for ietf-http-wg@listhub.w3.org; Tue, 14 Feb 2017 22:05:44 +0000
Received: from wtarreau.pck.nerim.net ([62.212.114.60] helo=1wt.eu) by titan.w3.org with esmtp (Exim 4.84_2) (envelope-from <w@1wt.eu>) id 1cdlE9-0003Fj-Ld for ietf-http-wg@w3.org; Tue, 14 Feb 2017 22:05:39 +0000
Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id v1EM54hs000593; Tue, 14 Feb 2017 23:05:04 +0100
Date: Tue, 14 Feb 2017 23:05:04 +0100
From: Willy Tarreau <w@1wt.eu>
To: Adrien de Croy <adrien@qbik.com>
Cc: Loïc Hoguin <essen@ninenines.eu>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <20170214220504.GC30715@1wt.eu>
References: <emdcb96fc0-0d2f-436c-9f1f-05beffe7593e@bodybag> <e01c4945-1116-d258-7004-ea917843bf3d@ninenines.eu> <ema747b801-6dcc-4b2d-ac95-9a027e10c0b4@bodybag>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <ema747b801-6dcc-4b2d-ac95-9a027e10c0b4@bodybag>
User-Agent: Mutt/1.6.1 (2016-04-27)
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-7.0
X-W3C-Hub-Spam-Report: AWL=0.938, BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1cdlE9-0003Fj-Ld 3544df67872d87da5aeacfefc7e22bd6
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Sections 3.3.2 and 3.3.3 allow bogus Content-Length?
Archived-At: <http://www.w3.org/mid/20170214220504.GC30715@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33498
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Tue, Feb 14, 2017 at 09:12:38PM +0000, Adrien de Croy wrote:
> 
> I did quote that section, but it doesn't define what an invalid C-L is.
> 
> Nowhere does it explicitly state that C-L value must equal the body size in
> order to be valid.  Sure it should be obvious, but the language at the start
> of 3.3.2 doesn't help there.
> 
> It says
> 
> "Any Content-Length field value greater than or equal to zero is
> valid."
> 
> well no, to be valid it must match the body size.

In fact that's not true. It's not the content-length that matches the
body size, it's the body which ends after the content-length. So whatever
numeric value >= 0 is indeed valid *and* defines the body size.

> The first sentence in 3.3.2
> 
> "When a message does not have a Transfer-Encoding header field, a
> Content-Length header field can provide the anticipated size, as a
> decimal number of octets, for a potential payload body."
> 
> "can provide"???
> "anticipated size"???
> "potential payload body"???

I think that's for 304 or responses to HEAD. Though out of the context,
the wording looks scary.

Regardless the text explaining how to determinate the body size (hence
where it stops once you've found where it starts) is pretty clear and
I hardly see how to interpret it differently.

You can make a parallel with a piece of string. Tell him "I'm giving you
2 meters of string, just pull it and cut at 2 meters, this is your body,
and what remains in my hand is mine and is not your body ; if I don't
tell you where to cut before pulling, you pull everything until I run
out of it and only then you can determine the length".

Anyway it's sad to see that there are people having so many difficulties
understanding so obvious concepts and that such people are allowed to
demand that a technical component works one way or another...

Willy

v2.23.0 | Report a Bug | By Email