Duplicate Content-Type Header Parsing Issue #3862
Description
Version
12717d1
Platform
Ubuntu 11.4.0-1ubuntu1~22.04
Description
Hello, I may have found a bug in hyper's parsing of HTTP requests with duplicate Content-Type header.
RFC 9110 says this:
Although
Content-Typeis defined as a singleton field, it is sometimes incorrectly generated multiple times, resulting in a combined field value that appears to be a list. Recipients often attempt to handle this error by using the last syntactically valid member of the list, leading to potential interoperability and security issues if different implementations have different error handling behaviors.
Hyper does not reject such requests. For example:
POST / HTTP/1.1\r\n
Host: victim.com\r\n
Content-Type: text/plain\r\n
Content-Type: application/json\r\n
\r\n
$ echo -ne "POST / HTTP/1.1\r\nHost: victim.com\r\nContent-Type: text/plain\r\nContent-Type: application/json\r\n\r\n" | nc 172.18.0.9 80
HTTP/1.1 200 OK
content-length: 193
date: Thu, 20 Mar 2025 14:49:09 GMT
{"method":"UE9TVA==","version":"MS4x","uri":"Lw==","headers":[["aG9zdA==","dmljdGltLmNvbQ=="],["Y29udGVudC10eXBl","dGV4dC9wbGFpbg=="],["Y29udGVudC10eXBl","YXBwbGljYXRpb24vanNvbg=="]],"body":""}
Hyper may not concern itself with the semantics of Content-Type. It may simply parse the headers and provides the user code with what headers were sent. It may be more free for the application-layer code to decide how to handle requests, but there may be potential interoperability implications if different implementations handle them differently, according to RFC 9110.