/ go Public
net/http: ReadResponse rejects duplicate
Transfer-Encoding: chunked headers
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Since Go 1.15 (commit d5734d4), http.ReadResponse (and therefore http.Transport.RoundTrip) returns an error if the response has more than one Transfer-Encoding header.
This makes it impossible to download content from certain sites. For example, attempting to download from https://sis.cat.com/ returns the error
too many transfer encodings: ["chunked" "chunked"]. (https://play.golang.org/p/3rJb7ClBQ_U)
If I understand the discussion around the change correctly, there are security issues related to multiple Transfer-Encoding headers on a request. But this is on a response.
Could we be a little less strict for responses? Or allow multiple Transfer-Encoding headers if they are all "chunked"?
The text was updated successfully, but these errors were encountered: