net/http: support multiple identical Content-Length headers #16490
Comments
Thanks for the report. I can look into this when the Go 1.8 tree opens. |
ping @bradfitz, 1.8 is now open |
@odeke-em, you want to do this one? |
Yap yap. Thank you @bradfitz! |
CL https://golang.org/cl/31252 mentions this issue. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Please answer these questions before submitting your issue. Thanks!
go version
)?go version go1.6.3 linux/amd64
go env
)?GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH=""
GORACE=""
GOROOT="/usr/lib/go"
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GO15VENDOREXPERIMENT="1"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0"
CXX="g++"
CGO_ENABLED="1"
Fetch URL from vendor which unfortunately returns duplicate (identical) Content-Length headers.
I expected http response.
http: message cannot contain multiple Content-Length headers
The Patch:
300d9a2
Added check -> net/http: harden Server against request smuggling
The check as is doesn't allow the optional response of multiple Content-Length headers as long as they match.
https://tools.ietf.org/html/rfc7230#page-30
If a message is received that has multiple Content-Length header
fields with field-values consisting of the same decimal value, or a
single Content-Length header field with a field value containing a
list of identical decimal values (e.g., "Content-Length: 42, 42"),
indicating that duplicate Content-Length header fields have been
generated or combined by an upstream message processor, then the
recipient MUST either reject the message as invalid or replace the
duplicated field-values with a single valid Content-Length field
containing that decimal value prior to determining the message body
length or forwarding the message.
Current check:
Proposed alteration to check allowing duplicate Content-Length headers:
Example response header from vendor tools:
< HTTP/1.1 200 Ok
< Date: Mon, 25 Jul 2016 15:01:09 GMT
< Server: Apache/2.2.3 (Red Hat)
< Content-Length: 9606
< Server-Application: Video Appliance
< Server-Address: 10.133.14.24
< Connection: close
< Content-Length: 9606
< Content-Type: text/html; charset=iso-8859-1
<
The text was updated successfully, but these errors were encountered: