Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Return HTTP 400 or 411 if Content-Length is invalid or empty #462

Closed
wants to merge 1 commit into from
Closed

Return HTTP 400 or 411 if Content-Length is invalid or empty #462

wants to merge 1 commit into from

Conversation

avtobiff
Copy link
Collaborator

@avtobiff avtobiff commented Nov 2, 2022

Content-Length is defined to be an integer 0 or greater.

The current behaviour when Content-Length is not an integer is that Yaws immediately cuts the connection.

It is not totally clearly defined what to do when Content-Length is invalid, but responding with HTTP 400 Bad Request at least notifies the user of their error.

If POST is used and Content-Length is empty, respond with HTTP 411 Length Required.

etnt
etnt reviewed Nov 14, 2022
View reviewed changes
src/yaws.erl Outdated Show resolved Hide resolved
src/yaws.erl Outdated Show resolved Hide resolved
@avtobiff avtobiff force-pushed the content-length-values branch 2 times, most recently from 067f6a4 to 219b35c Compare November 15, 2022 13:00
@vinoski
Copy link
Collaborator

vinoski commented Nov 17, 2022

Is there any problem with this with POST requests that aren't required to have Content-Length headers, such as when chunked transfer is used? Given all checks have passed, including chunked transfer tests, seems like it's not an issue, but then I think that means the last sentence of the commit message isn't quite accurate.

@avtobiff
Copy link
Collaborator Author

I'll check with chunked transfer and POST.

@avtobiff
Add error handling for Content-Length header
a8a9765 
Return HTTP 400 if Content-Length header is invalid. The Content-Length
header is defined to be an integer 0 or greater.
See RFC 9110 Section 8.6. Content-Length.

Return HTTP 411 if Content-Length is empty for POST, if
Transfer-Encoding is not set. If however Transfer-Encoding is used for
POST, Content-Length is ignored.
See RFC 9112 Section 6.1 Transfer-Encoding.

This improves the previous behaviour when Content-Length is not an
integer where Yaws immediately cut the connection.

It is not totally clearly defined what to do when Content-Length is
invalid, but responding with HTTP 400 Bad Request at least notifies the
user of their error.

One implementation detail to note is that all headers needs to be
collected in order to know if Transfer-Encoding is set, if it is set
Content-Lenght is ignored. However, if Transfer-Encoding is not set, the
normal error handling for Content-Length is performed. This means that
the report of multiple content-length headers error is deferred to when
all headers are collected..
@avtobiff
Copy link
Collaborator Author

Finally got time to rework this. It needed some changes to take
transfer encoding into account.

It should be ready for merge now.

@vinoski
Copy link
Collaborator

vinoski commented Jul 22, 2023

I merged thisto master manually. Thanks for contributing it!

@vinoski vinoski closed this Jul 22, 2023
@avtobiff avtobiff deleted the content-length-values branch July 23, 2023 22:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@etnt etnt etnt left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@avtobiff @vinoski @etnt