On Tue, May 28, 2002 at 08:00:16AM -0700, Justin Erenkrantz wrote: > On Tue, May 28, 2002 at 10:18:52AM -0400, Jeff Trawick wrote: > > okay, do try it, but (unlike somebody last night) don't try it on daedalus > > > > GET / HTTP/1.1 > > Accept: */* > > Host: test > > Content-Type: application/x-www-form-urlencoded > > Transfer-Encoding: chunked > > > > AAAAAAAAAAAAAAAAAAA > > Hmm. Isn't that legal? A is a hex digit.
RFC2616: Chunked-Body = *chunk last-chunk trailer CRLF chunk = chunk-size [ chunk-extension ] CRLF chunk-data CRLF chunk-size = 1*HEX last-chunk = 1*("0") [ chunk-extension ] CRLF so, strictly spoken, it is "legal". The trailing chunk could have been 0000000000000000000000000000000000000000000000000000000000000 CRLF and still be legal. But IMO we need to have a way to parse the hex string and detect an integer overflow at the same time. If an overflow occurs, then an 4XX message is appropriate (400 Bad Request rather than 413 Request Entity Too Large) Then, as a second step (if the number parsed all right, even if it was incredibly long, as in this chunk of 33 bytes: 000000000000000000000000000000000000000000000000000000021 CRLF ) we can try and verify whether we accept the size. For that, we have an upper limit defined by "LimitRequestBody bytes". Anything beyond that can impossibly be accepted. Martin -- <[EMAIL PROTECTED]> | Fujitsu Siemens Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730 Munich, Germany