net/http: support multiple identical Content-Length headers #16490
Labels
FrozenDueToAge
help wanted
NeedsFix
The path to resolution is known, but the work has not been done.
Suggested
Issues that may be good for new contributors looking for work to do.
Milestone
Please answer these questions before submitting your issue. Thanks!
go version
)?go version go1.6.3 linux/amd64
go env
)?GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH=""
GORACE=""
GOROOT="/usr/lib/go"
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GO15VENDOREXPERIMENT="1"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0"
CXX="g++"
CGO_ENABLED="1"
Fetch URL from vendor which unfortunately returns duplicate (identical) Content-Length headers.
I expected http response.
http: message cannot contain multiple Content-Length headers
The Patch:
300d9a2
Added check -> net/http: harden Server against request smuggling
The check as is doesn't allow the optional response of multiple Content-Length headers as long as they match.
https://tools.ietf.org/html/rfc7230#page-30
If a message is received that has multiple Content-Length header
fields with field-values consisting of the same decimal value, or a
single Content-Length header field with a field value containing a
list of identical decimal values (e.g., "Content-Length: 42, 42"),
indicating that duplicate Content-Length header fields have been
generated or combined by an upstream message processor, then the
recipient MUST either reject the message as invalid or replace the
duplicated field-values with a single valid Content-Length field
containing that decimal value prior to determining the message body
length or forwarding the message.
Current check:
Proposed alteration to check allowing duplicate Content-Length headers:
Example response header from vendor tools:
< HTTP/1.1 200 Ok
< Date: Mon, 25 Jul 2016 15:01:09 GMT
< Server: Apache/2.2.3 (Red Hat)
< Content-Length: 9606
< Server-Application: Video Appliance
< Server-Address: 10.133.14.24
< Connection: close
< Content-Length: 9606
< Content-Type: text/html; charset=iso-8859-1
<
The text was updated successfully, but these errors were encountered: