- From: Jeffrey Mogul <Jeff.Mogul@hp.com>
- Date: Thu, 22 Jun 2006 10:39:03 -0700
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: Kuba Witczak <czesacz@gmail.com>, ietf-http-wg@w3.org
Julian Reschke <julian.reschke@gmx.de> writes:
Kuba Witczak schrieb:
> The problem is that a system, which relies on HTTP protocol, refuses to
> accept GET requests with header 'Content-length: 0'. This header added
> to request doesn't bring any information, and should be ignored by a
> system which relies on HTTP protocol, am i correct?
No, it shouldn't be ignored. It should be processed. In this
*particular* case that's the same as ignoring, but in theory the request
*could* have a request body (although RFC2616 currently doesn't define
what that would mean). In the latter case, the recipient would need to
read the request body (potentially throwing it away afterwards).
[...]
> Is there any general rule in HTTP/1.1 protocol which allows or forbids
> 'Content-length: 0' header in GET requests?
There's no rule that forbids it.
The same question appeared on comp.protocols.tcp-ip, and Barry
Margolin pointed out:
See section 4.3, where it says:
The presence of a message-body in a request is signaled by the
inclusion of a Content-Length or Transfer-Encoding header field in
the request's message-headers. A message-body MUST NOT be included in
a request if the specification of the request method (section 5.1.1)
does not allow sending an entity-body in requests.
Since the specification of the GET request doesn't allow sending a body
in the request, you MUST NOT include a Content-Length or
Transfer-Encoding header.
I'm not sure he's correct that RFC2616 prohibits sending a
message-body with a GET method. 5.1.1 (Method) doesn't actually
say anything about this. Section 9.3 (GET) doesn't either.
The definitions for PUT and POST do refer to "the enclosed entity",
which implicitly "allow[s] sending an entity-body". Anyway,
I think the spec is a little ambiguous in this respect, since
4.3 implies that (somewhere else) there is a definitive statement
about which methods do and don't allow entity-bodies in requests.
As far as I can tell, there isn't.
Nevertheless, what has become known as the "robustness principle":
In general, an implementation must be conservative
in its sending behavior, and liberal in its receiving behavior.
[RFC791, section 3.2]
implies that rejecting a GET with "Content-length: 0" is being
over-cautious.
HOWEVER, Barry also points out:
I think a number of firewalls block these because they have been
involved in some exploits.
I'm not specifically aware of which exploits are involved here;
I think the problem might be that a malicious request actually does
have a "body" that starts with another set of HTTP request headers,
thus bypassing certain checks along the way.
Anyway, I don't know if the situation is as clear as it should
be. The spec seems to leave a little too much room for confusion,
and the security issue might be worth documenting as "advice for
proxy and server implementors."
-Jeff
P.S.: Barry's message is available via:
http://groups.google.com/group/comp.protocols.tcp-ip/browse_thread/thread/9c51adab8132c0b7/a701d2edcd9c089b?lnk=st&q=margolin+%22Content-length%3A+0%22&rnum=1&hl=en#a701d2edcd9c089b
Received on Thursday, 22 June 2006 17:39:20 UTC