From 6ef79ae410d9bce15a361303ec283f6381965404 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Hoguin?= Date: Fri, 5 Jan 2024 16:24:25 +0100 Subject: Reject HTTP/1 requests with both content-length and transfer-encoding The previous behavior was to accept them and drop the content-length header as per the RFC recommendation. But since this behavior is not normal it is safer to just reject such requests than risk security issues. --- test/rfc7230_SUITE.erl | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'test') diff --git a/test/rfc7230_SUITE.erl b/test/rfc7230_SUITE.erl index 50a6c71..64d9ce4 100644 --- a/test/rfc7230_SUITE.erl +++ b/test/rfc7230_SUITE.erl @@ -1144,18 +1144,19 @@ reject_invalid_content_length(Config) -> %with a message body too large must be rejected with a 413 status %code and the closing of the connection. (RFC7230 3.3.2) -ignore_content_length_when_transfer_encoding(Config) -> +reject_when_both_content_length_and_transfer_encoding(Config) -> doc("When a message includes both transfer-encoding and content-length " - "headers, the content-length header must be removed before processing " - "the request. (RFC7230 3.3.3)"), - #{code := 200, body := <<"Hello world!">>} = do_raw(Config, [ + "headers, the message may be an attempt at request smuggling. It " + "must be rejected with a 400 status code and the closing of the " + "connection. (RFC7230 3.3.3)"), + #{code := 400, client := Client} = do_raw(Config, [ "POST /echo/read_body HTTP/1.1\r\n" "Host: localhost\r\n" "Transfer-encoding: chunked\r\n" "Content-length: 12\r\n" "\r\n" "6\r\nHello \r\n5\r\nworld\r\n1\r\n!\r\n0\r\n\r\n"]), - ok. + {error, closed} = raw_recv(Client, 0, 1000). %socket_error_while_reading_body(Config) -> %If a socket error occurs while reading the body the server -- cgit v1.2.3