Skip to content

net/http: support multiple identical Content-Length headers #16490

New issue
New issue
Closed
Closed
net/http: support multiple identical Content-Length headers#16490
Labels
FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.SuggestedIssues that may be good for new contributors looking for work to do.help wanted
Milestone
Go1.8
@godsey

Description

@godsey
godsey
opened on Jul 25, 2016

Please answer these questions before submitting your issue. Thanks!

  1. What version of Go are you using (go version)?
    go version go1.6.3 linux/amd64
  2. What operating system and processor architecture are you using (go env)?
    GOARCH="amd64"
    GOBIN=""
    GOEXE=""
    GOHOSTARCH="amd64"
    GOHOSTOS="linux"
    GOOS="linux"
    GOPATH=""
    GORACE=""
    GOROOT="/usr/lib/go"
    GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
    GO15VENDOREXPERIMENT="1"
    CC="gcc"
    GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0"
    CXX="g++"
    CGO_ENABLED="1"
  3. What did you do?
    Fetch URL from vendor which unfortunately returns duplicate (identical) Content-Length headers.
  4. What did you expect to see?

I expected http response.

  1. What did you see instead?

http: message cannot contain multiple Content-Length headers

The Patch:
300d9a2

Added check -> net/http: harden Server against request smuggling

The check as is doesn't allow the optional response of multiple Content-Length headers as long as they match.

https://tools.ietf.org/html/rfc7230#page-30

If a message is received that has multiple Content-Length header
fields with field-values consisting of the same decimal value, or a
single Content-Length header field with a field value containing a
list of identical decimal values (e.g., "Content-Length: 42, 42"),
indicating that duplicate Content-Length header fields have been
generated or combined by an upstream message processor, then the
recipient MUST either reject the message as invalid or replace the
duplicated field-values with a single valid Content-Length field
containing that decimal value prior to determining the message body
length or forwarding the message.

Current check:

if len(contentLens) > 1 {
    // harden against HTTP request smuggling. See RFC 7230.
    return 0, errors.New("http: message cannot contain multiple Content-Length headers")
}

Proposed alteration to check allowing duplicate Content-Length headers:

if len(contentLens) > 1 {
    // harden against HTTP request smuggling. See RFC 7230.
    check := contentLens[0]
       for _, contentLength := range contentLens {
        if check != contentLength {
            return 0, errors.New("http: message cannot contain multiple Content-Length header values")
        }
    }
}

Example response header from vendor tools:

< HTTP/1.1 200 Ok
< Date: Mon, 25 Jul 2016 15:01:09 GMT
< Server: Apache/2.2.3 (Red Hat)
< Content-Length: 9606
< Server-Application: Video Appliance
< Server-Address: 10.133.14.24
< Connection: close
< Content-Length: 9606
< Content-Type: text/html; charset=iso-8859-1
<

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.SuggestedIssues that may be good for new contributors looking for work to do.help wanted

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions