net/http: support multiple identical Content-Length headers

[godsey]

Please answer these questions before submitting your issue. Thanks!

1. What version of Go are you using (go version)?
   go version go1.6.3 linux/amd64
2. What operating system and processor architecture are you using (go env)?
   GOARCH="amd64"
   GOBIN=""
   GOEXE=""
   GOHOSTARCH="amd64"
   GOHOSTOS="linux"
   GOOS="linux"
   GOPATH=""
   GORACE=""
   GOROOT="/usr/lib/go"
   GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
   GO15VENDOREXPERIMENT="1"
   CC="gcc"
   GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0"
   CXX="g++"
   CGO_ENABLED="1"
3. What did you do?
   Fetch URL from vendor which unfortunately returns duplicate (identical) Content-Length headers.
4. What did you expect to see?

I expected http response.

1. What did you see instead?

http: message cannot contain multiple Content-Length headers

The Patch:
300d9a2

Added check -> net/http: harden Server against request smuggling

The check as is doesn't allow the optional response of multiple Content-Length headers as long as they match.

https://tools.ietf.org/html/rfc7230#page-30

If a message is received that has multiple Content-Length header
fields with field-values consisting of the same decimal value, or a
single Content-Length header field with a field value containing a
list of identical decimal values (e.g., "Content-Length: 42, 42"),
indicating that duplicate Content-Length header fields have been
generated or combined by an upstream message processor, then the
recipient MUST either reject the message as invalid or replace the
duplicated field-values with a single valid Content-Length field
containing that decimal value prior to determining the message body
length or forwarding the message.

Current check:

if len(contentLens) > 1 {
    // harden against HTTP request smuggling. See RFC 7230.
    return 0, errors.New("http: message cannot contain multiple Content-Length headers")
}

Proposed alteration to check allowing duplicate Content-Length headers:

if len(contentLens) > 1 {
    // harden against HTTP request smuggling. See RFC 7230.
    check := contentLens[0]
       for _, contentLength := range contentLens {
        if check != contentLength {
            return 0, errors.New("http: message cannot contain multiple Content-Length header values")
        }
    }
}

Example response header from vendor tools:

< HTTP/1.1 200 Ok
< Date: Mon, 25 Jul 2016 15:01:09 GMT
< Server: Apache/2.2.3 (Red Hat)
< Content-Length: 9606
< Server-Application: Video Appliance
< Server-Address: 10.133.14.24
< Connection: close
< Content-Length: 9606
< Content-Type: text/html; charset=iso-8859-1
<

[bradfitz]

Thanks for the report. I can look into this when the Go 1.8 tree opens.

[quentinmit]

ping @bradfitz, 1.8 is now open

[bradfitz]

@odeke-em, you want to do this one?

[odeke-em]

Yap yap. Thank you @bradfitz!

[gopherbot]

CL https://golang.org/cl/31252 mentions this issue.