HTTP请求消息正文的存在和长度 [英] HTTP Request Message Body Existence and Length
问题描述
基于HTTP请求方法和标头,HTTP服务器必须确定在关闭HTTP请求标头的CRLFCRLF之后是否期望消息体,并且当它确实期望一个消息体时,该消息体长多少字节.
Based on the HTTP Request Method and Headers, a HTTP server has to determine whether or not to expect a Message Body after the closing CRLFCRLF of the HTTP Request Headers, and also when it does expect one, how many bytes long it is.
如何计算?通过请求方法和标头的功能,我们可以计算请求消息正文的长度.
How is this calculation made? By what function of the request method and headers can we calculate the length of the request message body.
跟进:
因此,解析标头后的HTTP服务器可以简单地执行以下操作:
So the HTTP server after parsing the header can simply do the following:
size_t RequestMessageBodyLength()
{
if (RequestHeaderExists("Content-Length"))
return RequestHeaderValue("Content-Length");
else
return 0;
}
上面没有涵盖某些极端情况吗?
Are there corner cases not covered by the above?
(我希望不是,HEAD请求的情况仅用于响应,而不是请求)
(I expect not, the case of the HEAD request is only for the response, not the request)
推荐答案
为此有一个完整的标头,称为Content-Length,该标头指定为此处.
There is an entire header for this, called Content-Length, which is specified here and probably explained better here.
有待跟进:
是的,只要服务器不关心安全性,它就可以使用您上面发布的伪代码.关于安全性的一般规则是:不要信任您未生成的输入.在这种情况下,攻击者可以发送带有标头Content-Length: 1000000的数千个请求,服务器将分配数千个字节的缓冲区并等待内容进入,从而拒绝为合法用户提供服务.生产型HTTP服务器必须考虑到这种可能性,并使用超时和其他方法来确保不会发生此问题或攻击者难以创建此问题.
Yes, a server can use the pseudocode you posted above, as long as it isn't concerned about security. The general rule about security is: don't trust input that you didn't generate. In this case, an attacker could send thousands of requests with header Content-Length: 1000000, and the server would allocate thousands of million-byte buffers and wait around for the content to come in, denying service to legitimate users. A production HTTP server has to account for this possibility, and use timeouts and other means to make sure that this problem doesn't occur, or is difficult for an attacker to create.
这篇关于HTTP请求消息正文的存在和长度的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
