Re: Sections 3.3.2 and 3.3.3 allow bogus Content-Length?
Loïc Hoguin <essen@ninenines.eu> Tue, 14 February 2017 21:08 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6D17129886 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 14 Feb 2017 13:08:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B7jEGGCDBiT8 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 14 Feb 2017 13:08:53 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C4B312986F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 14 Feb 2017 13:08:53 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cdkJ2-0006iC-Du for ietf-http-wg-dist@listhub.w3.org; Tue, 14 Feb 2017 21:06:36 +0000
Resent-Date: Tue, 14 Feb 2017 21:06:36 +0000
Resent-Message-Id: <E1cdkJ2-0006iC-Du@frink.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <essen@ninenines.eu>) id 1cdkIy-0006gl-80 for ietf-http-wg@listhub.w3.org; Tue, 14 Feb 2017 21:06:32 +0000
Received: from mout.kundenserver.de ([217.72.192.73]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <essen@ninenines.eu>) id 1cdkIs-0007z6-4q for ietf-http-wg@w3.org; Tue, 14 Feb 2017 21:06:26 +0000
Received: from [192.168.1.28] ([176.149.24.230]) by mrelayeu.kundenserver.de (mreue103 [212.227.15.183]) with ESMTPSA (Nemesis) id 0Lyk6B-1cI2sE1RN1-0166Lm; Tue, 14 Feb 2017 22:05:49 +0100
To: Adrien de Croy <adrien@qbik.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
References: <emdcb96fc0-0d2f-436c-9f1f-05beffe7593e@bodybag>
From: Loïc Hoguin <essen@ninenines.eu>
Organization: Nine Nines
Message-ID: <e01c4945-1116-d258-7004-ea917843bf3d@ninenines.eu>
Date: Tue, 14 Feb 2017 22:05:46 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <emdcb96fc0-0d2f-436c-9f1f-05beffe7593e@bodybag>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:3JhTFhgAlPh7wC1a8UHZBkv23cfa6viu9LycbP1YnI3n8Cli9fl ealt7YnBfO76NaJgRJDOBzpKebcnv+5j0R3w2vvxWJ8wnGPKtGgFJ7fYlh9QjwU9/UoTenX uUJTXzwIVz4ugzCOkywYGJlkG1Pzo5IZlLgRI9kl5WvfJYt1N1y47KhHIb6s7chM866VZes FgDaouqS1y+1PUCie0gnA==
X-UI-Out-Filterresults: notjunk:1;V01:K0:AlTfadntvYU=:hg5EXLLoVfBS5DKMjqc9eS DlSUAhH61SnjFhsEmWd3mFTI1bTc1Cd8KUzRIVONq2t1uO6153z8PUBQ5L7jUGEBPHRI+VDQx ENTELK1IVymvFoimAqQLj9MVsfnnxj6pDV8FeQ0gJD9IQdYcL176ISBVOcG2Mmt2F/JSpGwVR rZAMlULxSg3at+XkoHhJW/5FmU7CdC6KSpE7InSvq/1tGkmKIRkkP6S85tJc4v+Oeeohp6R0Y 5oyiP5OPJMB/vDzdePkVldSnCC3S06oMzcDxkxzkXIQ6TcwqHA6GY6fBGyHteIZBhldwG3IUn Dn3Mtw/dhIsgY+9nv3NUXypkl9+c1NdnbtAvV3ssKN1LHyl2TpTLdOIOZMlketezSkqBTi8l5 P8jlWjb1WUj2ggPEWjriRrRNqO53+DZHS4V2jLZrYAmaGertQphiv1xCg/CassjDUgd8yicMI KR2D2BRMF4CWS77PVC2naUMBa//j4JOYIOxrHjraC4Ic94iF9KT8Lq51eDZeIKCqmI2+9wN3K WJa/VqqWDnNGeepa3+PqLi0ibmcd/mFuyL+kulfMVaM9/L9tvlCMZClr3RqwXYVVvmWtxDZ0p U7k6SuWyVVvEYCxdHgbzasDVelzEfwihonNBxtuWnpl2+T74t8rHkK9UscVOx1d/mMqzRnwCL JqChy9n6wD57TbY8vH7vGRUNT0w4h0sKtj/XYMh9cIwHUUBe1WAyx+VHMEdz5WR0uWqD9bN2G 20rqPpyA9VrDM0d1
Received-SPF: none client-ip=217.72.192.73; envelope-from=essen@ninenines.eu; helo=mout.kundenserver.de
X-W3C-Hub-Spam-Status: No, score=-3.2
X-W3C-Hub-Spam-Report: AWL=1.298, BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-3.296, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1cdkIs-0007z6-4q a0dcd163fdbb4e4eb7292862ef58e6e8
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Sections 3.3.2 and 3.3.3 allow bogus Content-Length?
Archived-At: <http://www.w3.org/mid/e01c4945-1116-d258-7004-ea917843bf3d@ninenines.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33489
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 02/14/2017 09:49 PM, Adrien de Croy wrote: > > The language in RFC 7230 section 3.3.2 is extremely non-commital about > whether Content-Length needs to be correct or not. > > I'm currently having a dispute about this with someone who quoted these > sections at me as being proof that you can use any value for C-L > regardless of the body length. > > I think it could be a lot more forcefully written > > Or is the person correct and we don't need to have C-L match the body > length? It sounds pretty explicit to me: 4. If a message is received without Transfer-Encoding and with either multiple Content-Length header fields having differing field-values or a single Content-Length header field having an invalid value, then the message framing is invalid and the recipient MUST treat it as an unrecoverable error. If this is a request message, the server MUST respond with a 400 (Bad Request) status code and then close the connection. If it's both invalid and required for handling the request, send a 400 and close the connection. I suppose the spec allows you to have an invalid Content-Length if and only if the request also has a Transfer-Encoding header, however: If a message is received with both a Transfer-Encoding and a Content-Length header field, the Transfer-Encoding overrides the Content-Length. Such a message might indicate an attempt to perform request smuggling (Section 9.5) or response splitting (Section 9.4) and ought to be handled as an error. So sending a 400 and closing does not sound crazy even in that case, despite the spec not requiring it. -- Loïc Hoguin https://ninenines.eu
- Sections 3.3.2 and 3.3.3 allow bogus Content-Leng… Adrien de Croy
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Loïc Hoguin
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Poul-Henning Kamp
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Adrien de Croy
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Adrien de Croy
- RE: Sections 3.3.2 and 3.3.3 allow bogus Content-… Mike Bishop
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Matthew Kerwin
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Jason T. Greene
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Jacob Champion
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Poul-Henning Kamp
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Daniel Stenberg
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Willy Tarreau
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Adrien de Croy
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Adrien de Croy
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Alex Rousskov
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Jacob Champion
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Adrien de Croy
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Alex Rousskov
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Adrien de Croy
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Jacob Champion
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Adrien de Croy
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Adrien de Croy
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Alex Rousskov
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Adrien de Croy
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Alex Rousskov
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Matthew Kerwin
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Adrien de Croy
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Alex Rousskov
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Mark Nottingham
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Willy Tarreau
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Poul-Henning Kamp
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Cory Benfield
- Re: Sections 3.3.2 and 3.3.3 allow bogus Content-… Patrick McManus