What is the maximum chunk size in HTTP response with Transfer-Encoding chunked?

http http-headers transfer-encoding rfc2616
17,660

Solution 1

Each chunk extension must begin with a semi-colon and the list of chunk extensions must end with a CRLF. When parsing the chunk-size, stop at either a semi-colon or a CRLF. If you stopped at a semi-colon, ignore everything up to the next CRLF. There is no need for a maximum chunk-size.

chunk          = chunk-size [ chunk-extension ] CRLF
                 chunk-data CRLF

chunk-size     = 1*HEX

chunk-extension= *( ";" chunk-ext-name [ "=" chunk-ext-val ] )

Solution 2

The HTTP specification is pretty clear about the syntax of the HTTP messages.

The chunk size is always given as a hexadecimal number. If that number is not directly followed by a CRLF, but a ; instead, you know that there is an extension. This extension is identified by its name (chunk-ext-name). If you never heard of that particular name, you MUST ignore it.

So what exactly is your problem?

  • Read a hexadecimal number
  • Ignore everything up to the next CRLF
  • Be happy
Share:
17,660

Related videos on Youtube

schwer
Author by

schwer

Updated on June 04, 2022

Comments

  • schwer
    schwer almost 2 years

    The w3.org (RFC2616) seems not to define a maximum size for chunks. But without a maximum chunk-size there is no space for the chunk-extension. There must be a maximum chunk-size, else I can't ignore the chunk-extension as I'm advised to do if it can't be understood (Quote:"MUST ignore chunk-extension extensions they do not understand").

    • Yahia
      Yahia over 12 years
      why do you think you need a maximum size ? are you implementing a server ? a client ? a proxy ?
  • smRaj
    smRaj about 9 years
    I would like to ask what would you suggest to do when the server is corrupt and sending never ending hexadecimal number ? Be a victim and read the never ending hexadecimal number forever or fix a limit that suits your application and throw out a warning when that happens?
  • smRaj
    smRaj about 9 years
    Request your thoughts for the same question I posted in Roland's answer.
  • David Schwartz
    David Schwartz about 9 years
    @smRaj Whatever makes the most sense in your application, probably setting a reasonable limit.
  • smRaj
    smRaj about 9 years
    @DavidSchwartz: That helps.
  • puchu
    puchu almost 4 years
    You can't just ignore, this is the potential security leak. You have to limit chunk metadata (size and list of extensions) by reasonable length.
  • puchu
    puchu almost 4 years
    PS that's why you shouldn't use abandoned nodejs http parser. Please look here. It doesn't make overflow check it is possible to hang this parser forever by simple attack.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Transfer-Encoding: chunked
Headers not being set on http Flutter
Flutter - VideoPlayer - Support http headers while constructing video controller from network datasource
flutter - no json is sent in the body of my http post
How can I add multiple headers in Flutter GET Api request
determine if server supports resume get request
How to isolate the HTTP headers/body from a PHP Sockets request
How do I set the request headers using Reqwest?
Force download excel file using PHPExcel
Custom Authorization Header