cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: bug #39 -- let's fix it

From: mm.w <0xcafefeed_at_gmail.com>
Date: Tue, 28 Apr 2015 15:23:14 -0700

sorry you did not got what I said ; the both sentences where not separated
; if you get twice different Content-Length you can lie ; yes some proxy
servers returns a body ; they can even have non-standard values for
Transfer-Encoding
;

Can you name any such proxies ?

yes I could ; but would not be fair.

At the end so yes they should be totally ignored ; but from time to time
you can't.

On Tue, Apr 28, 2015 at 1:48 PM, Nico Williams <nico_at_cryptonector.com>
wrote:

> On Tue, Apr 28, 2015 at 08:33:32AM -0700, mm.w wrote:
> > Hello , Nicolas mainly hypothetically an attacker could take avantage
> > of it and inject ; the problem with being strict [which should be the
>
> First, a proxy can manipulate the application protocol traffic tunneled
> over CONNECT.
>
> Secondly, if you're not using TLS between the client and the proxy, and
> TLS or similar between the either the client or the proxy and the target
> of the CONNECT, then you have all the security problems that one can
> expect.
>
> Neither bug #39 nor the RFC7231 text I quoted introduce new security
> problems.
>
> > way] ; you are absolutely right on this point ; regrettably ; the
> > reality is quite different: I know many servers (used by a lot of
> > folks) that are still 1.0/1.1-ish meaning they are "dirty-hybrids" ;
> > that's the wildness of internet ;
>
> Can you be more specific? What do 2xx responses to CONNECTs from such
> servers look like? Do they carry response bodies? Are such response
> bodies denoted with Content-Length: and/or Transfer-Encoding:?
>
> How can any CONNECT 2xx response bodies not accounted for in
> Content-Length: and/or Transfer-Encoding: be handled correctly without
> knowing their length a priori or in some other way (maybe they are
> self-delimited?)?
>
> Can you name any such proxies? Are they still supported, for any value
> of "supported"?
>
> Should we add a new CURLOPT for indicating that a proxy misbehaves?
>
> What should the sense of any such new CURLOPT be?
>
> Sorry for all the questions. They are not rethorical. If fixing bug
> #39 will break anything, it would help to know what.
>
> Nico
> --
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-04-29

This message: [ Message body ]
Next message: Nico Williams: "Re: bug #39 -- let's fix it"
Previous message: Daniel Stenberg: "Re: bug #39 -- let's fix it"
In reply to: Nico Williams: "Re: bug #39 -- let's fix it"
Next in thread: Nico Williams: "Re: bug #39 -- let's fix it"
Reply: Nico Williams: "Re: bug #39 -- let's fix it"
Reply: Daniel Stenberg: "Re: bug #39 -- let's fix it"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]