search

jech / polipo

The Polipo caching HTTP proxy
http://www.pps.jussieu.fr/~jch/software/polipo/
MIT License
1.8k stars 354 forks source link

POST without Content-Length #33

Closed Jamie-Landeg-Jones closed 9 years ago

Jamie-Landeg-Jones commented 9 years ago

According to the specs, a POST with no payload is allowed to be made without the Content-Length header (i.e. it defaults to 0)

This is now being done by the latest version of UCBrowser for Android.

POSTS without data are often ways to ensure links are not actuated maliciously with inline code.

For example, the forum voting here: http://forums.theregister.co.uk/forum/3/2014/07/29/feature_spectral_approach_to_scottish_independence/

Using Polipo, the above now fails with a lack of content-length warning.

Simple fix:

--- client.c.orig       2014-05-14 23:19:43.000000000 +0100
+++ client.c    2014-07-31 22:23:04.000000000 +0100
@@ -738,7 +738,7 @@
     connection->reqbegin = i;

     if(body_len < 0) {
-        if(request->method == METHOD_GET || request->method == METHOD_HEAD)
+        if(request->method == METHOD_GET || request->method == METHOD_HEAD || request->method == METHOD_POST)
             body_len = 0;
     }
     connection->bodylen = body_len;

Ref: http://tools.ietf.org:80/html/draft-ietf-httpbis-p1-messaging-20

Cheers, Jamie

jech commented 9 years ago

According to the specs, a POST with no payload is allowed to be made without the Content-Length header (i.e. it defaults to 0)

Could you please give me the exact reference?

This is now being done by the latest version of UCBrowser for Android.

Ah. Thanks for the info.

-- Juliusz

ir193 commented 9 years ago

I think Jamie is right. According to the latest specs, for request messages, if no Content-Length and Transfer-Encoding are present, then the message body length is zero (no message body is present).

http://tools.ietf.org/html/rfc7230#section-3.3.3

Jamie-Landeg-Jones commented 9 years ago

Apologies for not replying sooner - for some reason, I never received the email notification.

Yeah, ir193 posted the link and section (3.3.3) - (My link was to a draft, and I forgot to include the section, sorry!)

Rfc7230 appears to be trying to close some of the previous ambiguities.In addition to what ir193 has posted above, 3.3.2 says:

A user agent SHOULD send a Content-Length in a request message when
   no Transfer-Encoding is sent and the request method defines a meaning
   for an enclosed payload body.  For example, a Content-Length header
   field is normally sent in a POST request even when the value is 0
   (indicating an empty payload body).

Though I read the use of SHOULD instead of MUST, and the word 'normally' to mean that the section 3.3.3 described fallback to 'no Content-Length = no body' as opposed to 'no Content Length = error 400' should also be honoured.

Cheers!

jech commented 9 years ago

Applied, thanks.