Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disallow negative or hexadecimal content-length headers. #49305

Closed
brianquinlan opened this issue Jun 21, 2022 · 9 comments
Closed

Disallow negative or hexadecimal content-length headers. #49305

brianquinlan opened this issue Jun 21, 2022 · 9 comments
Assignees
@brianquinlan
Labels
area-core-library SDK core library issues (core, async, ...); use area-vm or area-web for platform specific libraries. breaking-change-request This tracks requests for feedback on breaking changes enhancement-breaking-change An enhancement which is breaking. library-_http
Milestone
December Release ...

Comments

@brianquinlan
Copy link
Contributor

brianquinlan commented Jun 21, 2022
edited

Change

Generate a HttpException when HttpHeaders.add(...) encounters a negative or hexadecimal encoded content-length. Currently both are acceptable.

Also, change non-numeric input to raise a HttpException rather than a FormatException so that a consistent Exception is thrown.

Rationale

RFC 7230 says that the production for content-length is:

     Content-Length = 1*DIGIT

So we are currently accepting invalid input that might cause clients/servers to misbehave.

The possibility of HttpHeaders.add(...) throwing FormatException is undocumented so (partially) consolidate to HttpException (which is what is what is thrown for most parse failures).

Impact

This change does not break any Google tests.

Note that this does not change the semantics of the HttpHeaders.contentLength property where a negative value means remove the header completely.

Mitigation

Users should not use HttpHeaders.add(...) to set content-length headers that are not allowed by the RFC.
@brianquinlan brianquinlan added area-core-library SDK core library issues (core, async, ...); use area-vm or area-web for platform specific libraries. library-_http enhancement-breaking-change An enhancement which is breaking. labels Jun 21, 2022
@brianquinlan brianquinlan self-assigned this Jun 21, 2022
@brianquinlan brianquinlan changed the title Disallow Disallow negative or hexadecimal content-length headers. Jun 21, 2022
@itsjustkevin itsjustkevin added the breaking-change-request This tracks requests for feedback on breaking changes label Jul 7, 2022
@itsjustkevin
Copy link
Contributor

@vsmenon @a-siva this breaking change has been in for a while as it did not have the breaking-change-request label applied. For early triage, I intend to place this in the next milestone while we await a decision.

@brianquinlan
Copy link
Contributor Author

@itsjustkevin - do we no longer need approval from Hixie and grouma?

@a-siva
Copy link
Contributor

a-siva commented Jul 13, 2022

the breaking change lgtm, not sure who else needs to approve it.

@itsjustkevin
Copy link
Contributor

@grouma and @Hixie thoughts on this breaking change request?

@Hixie
Copy link
Contributor

Hixie commented Jul 13, 2022

LGTM

@vsmenon
Copy link
Member

vsmenon commented Jul 13, 2022

lgtm

@grouma
Copy link
Member

grouma commented Jul 18, 2022

LGTM

@brianquinlan
Copy link
Contributor Author

Fixed in 981bcf6

@MaryaBelanger
Copy link
Contributor

@brianquinlan just want to clarify for my own understanding (and documentation),

Note that this does not change the semantics of the HttpHeaders.contentLength property where a negative value means remove the header completely.

Did you bring this up because content-length headers and the HttpHeaders.contentLength property are completely different items, and you don't want them getting conflated?

Or, did you mean that the statement on the api docs page "The value is negative if there is no content length set." doesn't need to change, because it's equivalent to the statement you made "a negative value means remove the header completely."

@amugofjava amugofjava mentioned this issue Feb 25, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brianquinlan brianquinlan

Labels
area-core-library SDK core library issues (core, async, ...); use area-vm or area-web for platform specific libraries. breaking-change-request This tracks requests for feedback on breaking changes enhancement-breaking-change An enhancement which is breaking. library-_http
Projects
None yet
Milestone
December Release (Dart 2.19)
Development

No branches or pull requests
7 participants
@Hixie @grouma @vsmenon @a-siva @brianquinlan @itsjustkevin @MaryaBelanger