Bugtraq mailing list archives
Re: IE4 Persistent Connection Bug
From: dave () SRCE HR (Drazen Kacar)
Date: Mon, 25 Jan 1999 06:45:37 +0100
Joel Moses wrote:
The document below details a connection-reuse problem which uses
persistent connections even when they have either 1) been specifically
disabled, or 2) have been told to close by a server "Connection:
close".
[...]
------------------------------------------------------------------
$ nc -p 9000 -l
GET http://www.somesite.com/ HTTP/1.0
Accept: image/gif, image/x-bitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/msword,
application/vnd.ms-powerpoint, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 4.01, Windows 95)
Host: www.somesite.com
Proxy-Connection: Keep-Alive
"HTTP/1.1 200 OK"
"Connection: close"
"Content-Length: 5"
"abcde"
------------------------------------------------------------------
The browser will display "abcde," and the IE logo will stop
circulating. However, the connection will not -- as requested by the
server -- close. If you issue another page request in the browser for
You mean "as requested by the origin server." Connection header is hop-by-hop, which means that it has a meaning for a connection between origin server and proxy server only. Proxy server doesn't have to propagate it to the user agent. And there is a Proxy-Connection header in the request. I don't know where that one is defined (it isn't in RFC 1945, nor in RFC 2068, nor in the latest HTTP/1.1 draft), but I would assume it has to do something with open connections between user agent and proxy server.
a different site, the request will come through on this
previously-opened connection, e.g.,:
------------------------------------------------------------------
GET http://www.othersite.com/ HTTP/1.0
Accept: image/gif, image/x-bitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/msword,
application/vnd.ms-powerpoint, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 4.01, Windows 95)
Host: www.othersite.com
Proxy-Connection: Keep-Alive
------------------------------------------------------------------
This clearly violates HTTP/1.0 behavior, with which the browser
reports to the server that it complies.
It doesn't. Your netcat "proxy" violates it. Here's a quote from RFC 1945: Except for experimental applications, current practice requires that the connection be established by the client prior to each request and closed by the server after sending the response.
Netscape 4.x behaves correctly and closes the connection itself when
faced with the same situation.
See above. The server is responsible for closing the connection. Server
here means either origin server or proxy server, whichever happens to be
connected to user agent.
--
.-. .-. Life is a sexually transmitted disease.
(_ \ / _)
| dave () srce hr
| dave () fly cc fer hr
Current thread:
- IE4 Persistent Connection Bug Joel Moses (Jan 22)
- Re: IE4 Persistent Connection Bug Drazen Kacar (Jan 24)
- Re: IE4 Persistent Connection Bug Justin Dolske (Jan 25)
- IIS - reproduction... Pete Juvinall (Jan 25)
- Win98 crash? DEF CON ZERO WINDOW (Jan 24)
- Re: Win98 Crash? dorqus maximus (Jan 25)
- Re: Win98 Crash? Bruno Coelho (Jan 26)
- Software Inertia Nate Lawson (Jan 26)
- Re: Win98 Crash? Vanja Hrustic (Jan 26)
- Re: Win98 Crash? route () RESENTMENT INFONEXUS COM (Jan 26)
- Re: Win98 crash? Robbert Muller (Jan 27)
- Re: Win98 Crash? dorqus maximus (Jan 25)
- Re: IE4 Persistent Connection Bug Drazen Kacar (Jan 24)