"The HTTP parser in all current versions of Node.js ignores spaces in the Content-Length header, allowing input such as Content-Length: 1 2 to be interpreted as having a value of 12." #NodeJS CVE-2018-7159 https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/ …
-
-
-
If the content is actually 1 byte long and you can convince the server to try to read 12 bytes, then bad things may happen (typical attack scenario require a proxy server I guess). But, I must admit I don’t understand this « content-length: 1 2” syntax
1 reply 0 retweets 0 likes -
One can always send 1-byte content with a "Content-Length: 12" header without this "feature". If this is to confuse intermediary parties (proxies, security scanners), it would be a security issue in them, not in node.js.
1 reply 0 retweets 0 likes
I think this is the other way around. RFC 7230-compliant gateways would inspect only 1 byte of traffic on "Content-Length: 1 XXX". It is *not* expected that the receiving endpoint would actually process 1XXX bytes.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.