fre 2007-01-19 klockan 14:20 +0800 skrev ShuXin Zheng:
> OK, since that is just for dealing with buggy servers, it should do better
> and can also handle "Transfer-Encoding and Content-Length are presented
> in one reply header". Isn't it ?
It rejects responses with both chunked and content-length due to
response splitting attacks which is otherwise possible in mixed
environments.
Lets deal with one protocol violation at a time. Servers sending chunked
+ content-length is doubly violating the protocol and won't be dealt
with yet. (MUST NOT send chunked in response to HTTP/1.0 request, MUST
NOT send content-length in chunked response).
If this turns out to be a significant problem with servers being broken
in this manner as well then we may implement workarounds for this, but
blindly doing what the RFC suggests and simply ignoring Content-Length
is not secure and will cause even more problems.
Regards
Henrik
This archive was generated by hypermail pre-2.1.9 : Thu Feb 01 2007 - 12:00:02 MST