net/http: reject requests with invalid Content-Length headers - go - Fork of Go programming language with my patches.

diff options

author	Andy Pan <panjf2000@gmail.com>	2024-02-04 14:50:42 +0800
committer	Damien Neil <dneil@google.com>	2024-02-14 22:23:32 +0000
commit	48d899dcdbed4534ed942f7ec2917cf86b18af22 (patch)
tree	196df55cdf5bb33e1a6ef890f5967beace4ee239 /src/cmd/vendor/github.com
parent	d90a57ffe8ad8f3cb0137822a768ae48cf80a09d (diff)
download	go-48d899dcdbed4534ed942f7ec2917cf86b18af22.tar.xz

net/http: reject requests with invalid Content-Length headers

According to RFC 9110 and RFC 9112, invalid "Content-Length" headers might involve request smuggling or response splitting, which could also cause security failures. Currently, `net/http` ignores all "Content-Length" headers when there is a "Transfer-Encoding" header and forward the message anyway while other mainstream HTTP implementations such as Apache Tomcat, Nginx, HAProxy, Node.js, Deno, Tornado, etc. reject invalid Content-Length headers regardless of the presence of a "Transfer-Encoding" header and only forward chunked-encoding messages with either valid "Content-Length" headers or no "Content-Length" headers. Fixes #65505 Change-Id: I73af2ee0785137e56c7546a4cce4a5c5c348dbc5 Reviewed-on: https://go-review.googlesource.com/c/go/+/561075 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Bryan Mills <bcmills@google.com> Reviewed-by: Damien Neil <dneil@google.com>

Diffstat (limited to 'src/cmd/vendor/github.com')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: