cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: bug #39 -- let's fix it

From: mm.w <0xcafefeed_at_gmail.com>
Date: Tue, 28 Apr 2015 08:33:32 -0700

Hello , Nicolas mainly hypothetically an attacker could take avantage of it
and inject ; the problem with being strict [which should be the way] ; you
are absolutely right on this point ; regrettably ; the reality is quite
different: I know many servers (used by a lot of folks) that are still
1.0/1.1-ish meaning they are "dirty-hybrids" ; that's the wildness of
internet ;

On Tue, Apr 28, 2015 at 8:00 AM, Nico Williams <nico_at_cryptonector.com>
wrote:

> On Tue, Apr 28, 2015 at 09:23:39AM +0200, Daniel Stenberg wrote:
> > On Mon, 27 Apr 2015, Nico Williams wrote:
> > >This breaks tests like test206, which effectively send junk in the
> > >CONNECT response.
> >
> > Hopefully changing behavior _does_ break one or more tests. It only
> > proves we actually verified the existing behavior. But changed
> > behavior would then also require changed and updated test cases
> > accordingly...
>
> Right.
>
> > >At a minimum the tests need fixing, while removing the
> > >Content-Length and Transfer-Encoding handling from
> > >Curl_proxyCONNECT() could wait for another day.
> >
> > Let's remember this:
> >
> > A server MUST NOT send any Transfer-Encoding or Content-Length header
> > fields in a 2xx (Successful) response to CONNECT.
> >
> > And let me emphasize the "2xx" part there. A CONNECT response can be
> > a lot more than just 2xx responses and both Transfer-Encoding or
> > Content-Length headers are frequently used in such responses. We
> > cannot remove the support for them without breaking numerous
> > applications.
>
> Ah, yes, so we need to only tweak the handling of 2xx responses.
>
> > We can make sure to bail out nicely and properly though if they
> > occur in 2xx responses. And add tests that verify that!
>
> RFC7231 says the client "MUST ignore", not "MUST fail" or something like
> that. I'm not sure why that would be.
>
> In any case, the tests currently have the "proxy" send junk that is not
> accounted for via Content-Length or Transfer-Encoding.
>
> Nico
> --
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-04-28