Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: support multiple identical Content-Length headers #16490

Closed
godsey opened this issue Jul 25, 2016 · 5 comments

Comments

Projects
None yet
5 participants
@godsey
Copy link

commented Jul 25, 2016

Please answer these questions before submitting your issue. Thanks!

  1. What version of Go are you using (go version)?
    go version go1.6.3 linux/amd64
  2. What operating system and processor architecture are you using (go env)?
    GOARCH="amd64"
    GOBIN=""
    GOEXE=""
    GOHOSTARCH="amd64"
    GOHOSTOS="linux"
    GOOS="linux"
    GOPATH=""
    GORACE=""
    GOROOT="/usr/lib/go"
    GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
    GO15VENDOREXPERIMENT="1"
    CC="gcc"
    GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0"
    CXX="g++"
    CGO_ENABLED="1"
  3. What did you do?
    Fetch URL from vendor which unfortunately returns duplicate (identical) Content-Length headers.
  4. What did you expect to see?

I expected http response.

  1. What did you see instead?

http: message cannot contain multiple Content-Length headers

The Patch:
300d9a2

Added check -> net/http: harden Server against request smuggling

The check as is doesn't allow the optional response of multiple Content-Length headers as long as they match.

https://tools.ietf.org/html/rfc7230#page-30

If a message is received that has multiple Content-Length header
fields with field-values consisting of the same decimal value, or a
single Content-Length header field with a field value containing a
list of identical decimal values (e.g., "Content-Length: 42, 42"),
indicating that duplicate Content-Length header fields have been
generated or combined by an upstream message processor, then the
recipient MUST either reject the message as invalid or replace the
duplicated field-values with a single valid Content-Length field
containing that decimal value prior to determining the message body
length or forwarding the message
.

Current check:

if len(contentLens) > 1 {
    // harden against HTTP request smuggling. See RFC 7230.
    return 0, errors.New("http: message cannot contain multiple Content-Length headers")
}

Proposed alteration to check allowing duplicate Content-Length headers:

if len(contentLens) > 1 {
    // harden against HTTP request smuggling. See RFC 7230.
    check := contentLens[0]
       for _, contentLength := range contentLens {
        if check != contentLength {
            return 0, errors.New("http: message cannot contain multiple Content-Length header values")
        }
    }
}

Example response header from vendor tools:

< HTTP/1.1 200 Ok
< Date: Mon, 25 Jul 2016 15:01:09 GMT
< Server: Apache/2.2.3 (Red Hat)
< Content-Length: 9606
< Server-Application: Video Appliance
< Server-Address: 10.133.14.24
< Connection: close
< Content-Length: 9606
< Content-Type: text/html; charset=iso-8859-1
<

@bradfitz bradfitz added this to the Go1.8 milestone Jul 25, 2016

@bradfitz bradfitz changed the title RFC 7230 (Support Multiple (identical) Content-Length Headers) net/http: support multiple identical Content-Length headers Jul 25, 2016

@bradfitz

This comment has been minimized.

Copy link
Member

commented Jul 25, 2016

Thanks for the report. I can look into this when the Go 1.8 tree opens.

@quentinmit quentinmit added the NeedsFix label Oct 7, 2016

@quentinmit

This comment has been minimized.

Copy link
Contributor

commented Oct 7, 2016

ping @bradfitz, 1.8 is now open

@bradfitz

This comment has been minimized.

Copy link
Member

commented Oct 16, 2016

@odeke-em, you want to do this one?

@odeke-em

This comment has been minimized.

Copy link
Member

commented Oct 16, 2016

Yap yap. Thank you @bradfitz!

@odeke-em odeke-em self-assigned this Oct 16, 2016

@gopherbot

This comment has been minimized.

Copy link

commented Oct 16, 2016

CL https://golang.org/cl/31252 mentions this issue.

@gopherbot gopherbot closed this in fe4307f Oct 17, 2016

@golang golang locked and limited conversation to collaborators Oct 17, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.