Skip to content
Permalink
Browse files

Make auto_cl more selective based on HTTP method

According to https://tools.ietf.org/html/rfc7230#section-3.3.2, a zero content-length is valid for some kinds of HTTP methods.

Instead of implicitly disabling auto_cl if there is no actual content, disable auto_cl default for HTTP methods where semantics of the message do not anticipate any content. This can still be overridden by a caller if it still wants to add an empty content-length for HTTP methods where it does not normally make sense (e.g. if it exploits a bug.)
  • Loading branch information...
busterb committed Jun 4, 2019
1 parent d50cf54 commit e5a4c2d341eff762eda37f50cf39ba10147f9093
Showing with 9 additions and 3 deletions.
  1. +5 −3 lib/rex/proto/http/packet.rb
  2. +4 −0 lib/rex/proto/http/request.rb
@@ -203,11 +203,13 @@ def output_packet(ignore_chunk=false)
end

unless ignore_chunk
if (self.auto_cl == true && self.transfer_chunked == true)
if self.auto_cl && self.transfer_chunked
raise RuntimeError, "'Content-Length' and 'Transfer-Encoding: chunked' are incompatible"
elsif self.auto_cl == true && content.length > 0
end

if self.auto_cl
self.headers['Content-Length'] = content.length
elsif self.transfer_chunked == true
elsif self.transfer_chunked
if self.proto != '1.1'
raise RuntimeError, 'Chunked encoding is only available via 1.1'
end
@@ -63,6 +63,10 @@ def initialize(method = 'GET', uri = '/', proto = DefaultProtocol)
self.chunk_max_size = 10
self.uri_encode_mode = 'hex-normal'

if self.method == 'GET' || self.method == 'CONNECT'
self.auto_cl = false
end

update_uri_parts
end

0 comments on commit e5a4c2d

Please sign in to comment.
You can’t perform that action at this time.