[SR-Dev] content length
Andrei Pelinescu-Onciul
andrei at iptel.org
Mon Mar 30 17:15:22 CEST 2009
On Mar 30, 2009 at 18:12, Juha Heinanen <jh at tutpro.com> wrote:
> Andrei Pelinescu-Onciul writes:
>
> > It's an abort() to quickly catch bugs (the content length value should
> > always be checked and _never_ trusted) and to force people to fix
> > them.
> >
> > We could eliminate the abort() but then the incentive for fixing the
> > real bug will be reduced :-)
>
> it is very bad idea to make proxy owner to pay for bugs in UAs. if
> proxy returns an error to UA, it is the best incentive for the UA owner
> to fix the bug.
>
It's not a bug in the UA, it's a bug in the proxy code that uses a
Content-Length received from the network without checking if it's valid.
All such code instances must be changed and Content-Length must always
be checked and never trusted, before using it for anything.
That's what the abort() is for.
So removing the abort() it would fix the symptom, but not the real bug.
Andrei
More information about the sr-dev
mailing list