cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Verification of Content-Length

From: David Strauss <david_at_davidstrauss.net>
Date: Mon, 29 Apr 2013 20:19:12 -0700

On Mon, Apr 29, 2013 at 2:21 PM, Daniel Stenberg <daniel_at_haxx.se> wrote:
> It MUST handle the Content-Length value to speak HTTP at all. It is part of
> the message framing.

We're coming from Neon here, so our expectations are low in terms of
how much HTTP the library does for us. For example, Neon just give you
a function to read the body into a file descriptor, and the function
returns the number of bytes read. It's then your job to check the
count against what it's supposed to be. I strongly prefer the libcurl
model with callbacks and a full HTTP state machine.

> MD5 is not considered a very safe digest algorithm and Content-MD5 is known
> to be implemented inconsistently... The results being that it will not be in
> the upcoming revision of the HTTP 1.1 spec!

Good to know. I'll do some research into the future of HTTP message framing.

We're trying to implement this for our own server/client communication
and our communication with S3, so the set of implementations needing
to interoperate is pretty limited. The goal is to checksum, not to
avoid attacks. MD5 is quite adequate for that. I would like to use a
standard rather than rolling our own method, though.

--
David Strauss
   | david_at_davidstrauss.net
   | +1 512 577 5827 [mobile]
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2013-04-30