fre 2007-01-19 klockan 14:20 +0800 skrev ShuXin Zheng: > OK, since that is just for dealing with buggy servers, it should do better > and can also handle "Transfer-Encoding and Content-Length are presented > in one reply header". Isn't it ?
It rejects responses with both chunked and content-length due to response splitting attacks which is otherwise possible in mixed environments. Lets deal with one protocol violation at a time. Servers sending chunked + content-length is doubly violating the protocol and won't be dealt with yet. (MUST NOT send chunked in response to HTTP/1.0 request, MUST NOT send content-length in chunked response). If this turns out to be a significant problem with servers being broken in this manner as well then we may implement workarounds for this, but blindly doing what the RFC suggests and simply ignoring Content-Length is not secure and will cause even more problems. Regards Henrik
signature.asc
Description: Detta är en digitalt signerad meddelandedel
