aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorLoïc Hoguin <[email protected]>2020-05-20 13:41:05 +0200
committerLoïc Hoguin <[email protected]>2020-05-20 13:41:05 +0200
commit39b2816255503910dc23e2fdf703ee63bbc8953e (patch)
tree65f9b843db941fd7ba1f3926b77ab34cbc5675f8 /src
parent8337aca4d31ffa8120704057675aacbbaa280975 (diff)
downloadcowboy-39b2816255503910dc23e2fdf703ee63bbc8953e.tar.gz
cowboy-39b2816255503910dc23e2fdf703ee63bbc8953e.tar.bz2
cowboy-39b2816255503910dc23e2fdf703ee63bbc8953e.zip
204 and 304 responses must not include a body
When calling cowboy_req:reply/4 with a body a crash will occur resulting in a 500 response. When calling cowboy_req:stream_reply/2,3 and then attempting to send a body a crash will occur.
Diffstat (limited to 'src')
-rw-r--r--src/cowboy_http.erl3
-rw-r--r--src/cowboy_req.erl19
2 files changed, 19 insertions, 3 deletions
diff --git a/src/cowboy_http.erl b/src/cowboy_http.erl
index 2833e79..89ba9d8 100644
--- a/src/cowboy_http.erl
+++ b/src/cowboy_http.erl
@@ -1029,8 +1029,9 @@ commands(State0=#state{socket=Socket, transport=Transport, out_state=wait, strea
#stream{version=Version} = lists:keyfind(StreamID, #stream.id, Streams),
{State1, Headers} = connection(State0, Headers0, StreamID, Version),
State = State1#state{out_state=done},
- %% @todo Ensure content-length is set.
+ %% @todo Ensure content-length is set. 204 must never have content-length set.
Response = cow_http:response(StatusCode, 'HTTP/1.1', headers_to_list(Headers)),
+ %% @todo 204 and 304 responses must not include a response body. (RFC7230 3.3.1, RFC7230 3.3.2)
case Body of
{sendfile, _, _, _} ->
Transport:send(Socket, Response),
diff --git a/src/cowboy_req.erl b/src/cowboy_req.erl
index a2eadfc..90c5a3a 100644
--- a/src/cowboy_req.erl
+++ b/src/cowboy_req.erl
@@ -806,12 +806,16 @@ reply(Status, Headers, SendFile = {sendfile, _, Len, _}, Req)
}, SendFile, Req);
%% 204 responses must not include content-length. 304 responses may
%% but only when set explicitly. (RFC7230 3.3.1, RFC7230 3.3.2)
+%% Neither status code must include a response body. (RFC7230 3.3)
reply(Status, Headers, Body, Req)
when Status =:= 204; Status =:= 304 ->
+ 0 = iolist_size(Body),
do_reply(Status, Headers, Body, Req);
-reply(Status= <<"204",_/bits>>, Headers, Body, Req) ->
+reply(Status = <<"204",_/bits>>, Headers, Body, Req) ->
+ 0 = iolist_size(Body),
do_reply(Status, Headers, Body, Req);
-reply(Status= <<"304",_/bits>>, Headers, Body, Req) ->
+reply(Status = <<"304",_/bits>>, Headers, Body, Req) ->
+ 0 = iolist_size(Body),
do_reply(Status, Headers, Body, Req);
reply(Status, Headers, Body, Req)
when is_integer(Status); is_binary(Status) ->
@@ -840,6 +844,17 @@ stream_reply(Status, Req) ->
-> Req when Req::req().
stream_reply(_, _, #{has_sent_resp := _}) ->
error(function_clause);
+%% 204 and 304 responses must NOT send a body. We therefore
+%% transform the call to a full response and expect the user
+%% to NOT call stream_body/3 afterwards. (RFC7230 3.3)
+stream_reply(Status = 204, Headers=#{}, Req) ->
+ reply(Status, Headers, <<>>, Req);
+stream_reply(Status = <<"204",_/bits>>, Headers=#{}, Req) ->
+ reply(Status, Headers, <<>>, Req);
+stream_reply(Status = 304, Headers=#{}, Req) ->
+ reply(Status, Headers, <<>>, Req);
+stream_reply(Status = <<"304",_/bits>>, Headers=#{}, Req) ->
+ reply(Status, Headers, <<>>, Req);
stream_reply(Status, Headers=#{}, Req) when is_integer(Status); is_binary(Status) ->
cast({headers, Status, response_headers(Headers, Req)}, Req),
done_replying(Req, headers).