HTTP内容长度标头是否值得信任? [英] Is HTTP Content-Length Header Safe to Trust?

问题描述

信任Content-Length HTTP标头是否安全?根据 MDN文档，它是一个Forbidden header name.如果我转到该页面，则会显示以下内容.

Is it safe to trust the Content-Length HTTP header? According to the MDN docs it is a Forbidden header name. If I go to that page it says the following.

禁止修改此类标头，因为用户代理保留对标头的完全控制权.

Modifying such headers is forbidden because the user agent retains full control over them.

但是，如果您控制用户代理，还不会有欺骗这些值的方法吗?

But wouldn't there still be a way to spoof these values if you control the user agent?

我只是想弄清楚信任

I'm just trying to figure out how safe it is to trust those headers on that Forbidden header name page and if they are able to be spoofed at all.

推荐答案

鉴于您所描述的情况，是的，客户端可能会设置不正确的Content-Length.无法保证它是正确的.

Given the scenario you describe, yes it's possible for a client to set the incorrect Content-Length. There is no guarantee that it's correct.

如果Content-Length太大，则服务器可能会等待并超时以获取剩余数据.如果太小，服务器可能会在整个主体进入之前切断TCP连接，或者在Connection: Keep-Alive的情况下，服务器可能会认为客户端启动了另一个HTTP请求，感到困惑并发送了错误的请求响应.

If Content-Length is too large, a server might wait and time-out to get the remainder of the data. If it's too small, the server might cut the TCP connection before the entire body came in, or in the case of Connection: Keep-Alive the server might assume the client started another HTTP request, get confused and send a bad request response.

这篇关于HTTP内容长度标头是否值得信任?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！