-
Notifications
You must be signed in to change notification settings - Fork 28.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
duplicate header "Content-Length" in HTTP responses #6517
Comments
It's a violation of the spec. Node could ignore the second Content-Length header iff it's identical to the first one but that's arguably pandering to broken server software. |
using node http/https client i am getting the error, we should be able to get response from buggy servers in some purpose right? if ignoring why we are getting error? -- thanks |
Not really, if the content lengths were different how would we know which to use? Arguably we could ignore it if they are identical but it still highlights a downstream problem. |
The reason this check is necessary is that there are a number of security exploits that can be performed involving the use of multiple Content-Length headers. Different HTTP implementations treat multiple Content-Length headers differently -- some pay attention only to the first one, others pay attention only to the second one, others die completely as they are supposed to. The effect is that using multiple Content-Length headers has been proven to be an effective way to sneak content past firewalls/proxies/caches to deliver malicious content to clients. Per: https://tools.ietf.org/html/rfc7230#section-3.3.3
@bnoordhuis is correct that, per the spec, we are permitted to ignore multiple Per: https://tools.ietf.org/html/rfc7230#section-3.3.2 (emphasis added)
The safest (and most performant) thing to do is to simply reject the message. |
Throw error only if values are different. Known issues: request/request#2091 (comment) nodejs/node#6517 (comment) Test url with duplicate headers: https://bazimag.com/article/6989-the-evil-within-2-preview
If duplicate header "Content-Length" in HTTP responses, getting error,
using wget i am getting the following headers
The text was updated successfully, but these errors were encountered: