Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: support multiple identical Content-Length headers #16490

Closed
godsey opened this issue Jul 25, 2016 · 5 comments
Closed

net/http: support multiple identical Content-Length headers #16490

godsey opened this issue Jul 25, 2016 · 5 comments
Labels
FrozenDueToAge help wanted NeedsFix The path to resolution is known, but the work has not been done. Suggested Issues that may be good for new contributors looking for work to do.
Milestone
Go1.8

Comments

@godsey
Copy link

godsey commented Jul 25, 2016

Please answer these questions before submitting your issue. Thanks!

  1. What version of Go are you using (go version)?
    go version go1.6.3 linux/amd64
  2. What operating system and processor architecture are you using (go env)?
    GOARCH="amd64"
    GOBIN=""
    GOEXE=""
    GOHOSTARCH="amd64"
    GOHOSTOS="linux"
    GOOS="linux"
    GOPATH=""
    GORACE=""
    GOROOT="/usr/lib/go"
    GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
    GO15VENDOREXPERIMENT="1"
    CC="gcc"
    GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0"
    CXX="g++"
    CGO_ENABLED="1"
  3. What did you do?
    Fetch URL from vendor which unfortunately returns duplicate (identical) Content-Length headers.
  4. What did you expect to see?

I expected http response.

  1. What did you see instead?

http: message cannot contain multiple Content-Length headers

The Patch:
300d9a2

Added check -> net/http: harden Server against request smuggling

The check as is doesn't allow the optional response of multiple Content-Length headers as long as they match.

https://tools.ietf.org/html/rfc7230#page-30

If a message is received that has multiple Content-Length header
fields with field-values consisting of the same decimal value, or a
single Content-Length header field with a field value containing a
list of identical decimal values (e.g., "Content-Length: 42, 42"),
indicating that duplicate Content-Length header fields have been
generated or combined by an upstream message processor, then the
recipient MUST either reject the message as invalid or replace the
duplicated field-values with a single valid Content-Length field
containing that decimal value prior to determining the message body
length or forwarding the message.

Current check:

if len(contentLens) > 1 {
    // harden against HTTP request smuggling. See RFC 7230.
    return 0, errors.New("http: message cannot contain multiple Content-Length headers")
}

Proposed alteration to check allowing duplicate Content-Length headers:

if len(contentLens) > 1 {
    // harden against HTTP request smuggling. See RFC 7230.
    check := contentLens[0]
       for _, contentLength := range contentLens {
        if check != contentLength {
            return 0, errors.New("http: message cannot contain multiple Content-Length header values")
        }
    }
}

Example response header from vendor tools:

< HTTP/1.1 200 Ok
< Date: Mon, 25 Jul 2016 15:01:09 GMT
< Server: Apache/2.2.3 (Red Hat)
< Content-Length: 9606
< Server-Application: Video Appliance
< Server-Address: 10.133.14.24
< Connection: close
< Content-Length: 9606
< Content-Type: text/html; charset=iso-8859-1
<
@bradfitz bradfitz added this to the Go1.8 milestone Jul 25, 2016
@bradfitz bradfitz changed the title RFC 7230 (Support Multiple (identical) Content-Length Headers) net/http: support multiple identical Content-Length headers Jul 25, 2016
@bradfitz
Copy link
Contributor

Thanks for the report. I can look into this when the Go 1.8 tree opens.

@quentinmit quentinmit added the NeedsFix The path to resolution is known, but the work has not been done. label Oct 7, 2016
@quentinmit
Copy link
Contributor

ping @bradfitz, 1.8 is now open

@bradfitz bradfitz added Suggested Issues that may be good for new contributors looking for work to do. help wanted labels Oct 16, 2016
@bradfitz
Copy link
Contributor

@odeke-em, you want to do this one?

@odeke-em
Copy link
Member

Yap yap. Thank you @bradfitz!

@odeke-em odeke-em self-assigned this Oct 16, 2016
@gopherbot
Copy link

CL https://golang.org/cl/31252 mentions this issue.

@golang golang locked and limited conversation to collaborators Oct 17, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge help wanted NeedsFix The path to resolution is known, but the work has not been done. Suggested Issues that may be good for new contributors looking for work to do.
Projects
None yet
Milestone
Go1.8
Development

No branches or pull requests
5 participants
@bradfitz @quentinmit @odeke-em @godsey @gopherbot