1

Based on the HTTP Request Method and Headers, a HTTP server has to determine whether or not to expect a Message Body after the closing CRLFCRLF of the HTTP Request Headers, and also when it does expect one, how many bytes long it is.

How is this calculation made? By what function of the request method and headers can we calculate the length of the request message body.

Followup:

So the HTTP server after parsing the header can simply do the following:

size_t RequestMessageBodyLength()
{
    if (RequestHeaderExists("Content-Length"))
        return RequestHeaderValue("Content-Length");
    else
        return 0;
}

Are there corner cases not covered by the above?

(I expect not, the case of the HEAD request is only for the response, not the request)

Andrew Tomazos
  • 66,139
  • 40
  • 186
  • 319

2 Answers2

2

There is an entire header for this, called Content-Length, which is specified here and probably explained better here.

Answer to followup:

Yes, a server can use the pseudocode you posted above, as long as it isn't concerned about security. The general rule about security is: don't trust input that you didn't generate. In this case, an attacker could send thousands of requests with header Content-Length: 1000000, and the server would allocate thousands of million-byte buffers and wait around for the content to come in, denying service to legitimate users. A production HTTP server has to account for this possibility, and use timeouts and other means to make sure that this problem doesn't occur, or is difficult for an attacker to create.

Community
  • 1
  • 1
Adam Mihalcin
  • 14,242
  • 4
  • 36
  • 52
  • You're assuming that the server allocates a single buffer of Content-Length length, whereas it could simply stream chunks for that total amount of bytes to whereever they are supposed to go. It is necessary to respect the Content-Length field to support HTTP 1.1 Keep-Alive - otherwise there is no way to know when one request ends and a new request begins. – Andrew Tomazos Feb 05 '12 at 11:50
  • @user1131467 But "wherever they are supposed to go" depends on the application. For one application, you may be using CGI and just redirect the file descriptors of the child process, and hope that whoever wrote the application was concerned about security. For another application though, you may be writing a Rails-like server in which, as soon as the Ruby code starts executing, it expects to know whether the browser posted the key-value pair "password=secret". In that case, you have to wait for all the data to come in, and use timeouts to defend against the DoS attack I described. – Adam Mihalcin Feb 05 '12 at 17:23
0

The length of the message body calculated by the sender of the message. The length value is placed in the HTTP header Content-Length when the message is assembled.

Mophilly
  • 143
  • 10