Skip to content

/ go

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: support multiple identical Content-Length headers #16490

Closed
godsey opened this issue Jul 25, 2016 · 5 comments
Closed

net/http: support multiple identical Content-Length headers #16490

godsey opened this issue Jul 25, 2016 · 5 comments
Assignees
@bradfitz @odeke-em
Labels
FrozenDueToAge NeedsFix Suggested help wanted
Milestone
Go1.8

Comments

@godsey
Copy link

@godsey godsey commented Jul 25, 2016

Please answer these questions before submitting your issue. Thanks!

  1. What version of Go are you using (go version)?
    go version go1.6.3 linux/amd64
  2. What operating system and processor architecture are you using (go env)?
    GOARCH="amd64"
    GOBIN=""
    GOEXE=""
    GOHOSTARCH="amd64"
    GOHOSTOS="linux"
    GOOS="linux"
    GOPATH=""
    GORACE=""
    GOROOT="/usr/lib/go"
    GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
    GO15VENDOREXPERIMENT="1"
    CC="gcc"
    GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0"
    CXX="g++"
    CGO_ENABLED="1"
  3. What did you do?
    Fetch URL from vendor which unfortunately returns duplicate (identical) Content-Length headers.
  4. What did you expect to see?

I expected http response.

  1. What did you see instead?

http: message cannot contain multiple Content-Length headers

The Patch:
300d9a2

Added check -> net/http: harden Server against request smuggling

The check as is doesn't allow the optional response of multiple Content-Length headers as long as they match.

https://tools.ietf.org/html/rfc7230#page-30

If a message is received that has multiple Content-Length header
fields with field-values consisting of the same decimal value, or a
single Content-Length header field with a field value containing a
list of identical decimal values (e.g., "Content-Length: 42, 42"),
indicating that duplicate Content-Length header fields have been
generated or combined by an upstream message processor, then the
recipient MUST either reject the message as invalid or replace the
duplicated field-values with a single valid Content-Length field
containing that decimal value prior to determining the message body
length or forwarding the message.

Current check:

if len(contentLens) > 1 {
    // harden against HTTP request smuggling. See RFC 7230.
    return 0, errors.New("http: message cannot contain multiple Content-Length headers")
}

Proposed alteration to check allowing duplicate Content-Length headers:

if len(contentLens) > 1 {
    // harden against HTTP request smuggling. See RFC 7230.
    check := contentLens[0]
       for _, contentLength := range contentLens {
        if check != contentLength {
            return 0, errors.New("http: message cannot contain multiple Content-Length header values")
        }
    }
}

Example response header from vendor tools:

< HTTP/1.1 200 Ok
< Date: Mon, 25 Jul 2016 15:01:09 GMT
< Server: Apache/2.2.3 (Red Hat)
< Content-Length: 9606
< Server-Application: Video Appliance
< Server-Address: 10.133.14.24
< Connection: close
< Content-Length: 9606
< Content-Type: text/html; charset=iso-8859-1
<
@bradfitz bradfitz added this to the Go1.8 milestone Jul 25, 2016
@bradfitz bradfitz changed the title RFC 7230 (Support Multiple (identical) Content-Length Headers) net/http: support multiple identical Content-Length headers Jul 25, 2016
@bradfitz

This comment has been minimized.

Sign in to view
Copy link
Contributor

@bradfitz bradfitz commented Jul 25, 2016

Thanks for the report. I can look into this when the Go 1.8 tree opens.
@quentinmit quentinmit added the NeedsFix label Oct 7, 2016
@quentinmit

This comment has been minimized.

Sign in to view
Copy link
Contributor

@quentinmit quentinmit commented Oct 7, 2016

ping @bradfitz, 1.8 is now open
@bradfitz

This comment has been minimized.

Sign in to view
Copy link
Contributor

@bradfitz bradfitz commented Oct 16, 2016

@odeke-em, you want to do this one?
@odeke-em

This comment has been minimized.

Sign in to view
Copy link
Member

@odeke-em odeke-em commented Oct 16, 2016

Yap yap. Thank you @bradfitz!
@odeke-em odeke-em self-assigned this Oct 16, 2016
@gopherbot

This comment has been minimized.

Sign in to view
Copy link

@gopherbot gopherbot commented Oct 16, 2016

CL https://golang.org/cl/31252 mentions this issue.
@gopherbot gopherbot closed this in fe4307f Oct 17, 2016
@golang golang locked and limited conversation to collaborators Oct 17, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bradfitz bradfitz

@odeke-em odeke-em

Labels
FrozenDueToAge NeedsFix Suggested help wanted
Projects
None yet
Milestone
  Go1.8
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
@godsey @bradfitz @quentinmit @odeke-em @gopherbot
You can’t perform that action at this time.