Breaking change 49305: Disallow negative or hexadecimal content-length headers

30 views

Skip to first unread message

Brian Quinlan

unread,

Jul 22, 2022, 1:06:26 PM7/22/22

to anno...@dartlang.org

Discussion here: https://github.com/dart-lang/sdk/issues/49305

NOTE: This change has already landed - I accidentally posted this notification to the wrong group.

Please let me know if this will have some unexpected impact.

Change

Generate a HttpException when HttpHeaders.add(...) encounters a negative or hexadecimal encoded content-length. Currently both are acceptable.

Also, change non-numeric input to raise a HttpException rather than a FormatException so that a consistent Exception is thrown.

Rationale

RFC 7230 says that the production for content-length is:

     Content-Length = 1*DIGIT

So we are currently accepting invalid input that might cause clients/servers to misbehave.

The possibility of HttpHeaders.add(...) throwing FormatException is undocumented so (partially) consolidate to HttpException (which is what is what is thrown for most parse failures).

Impact

This change does not break any Google tests.

Note that this does not change the semantics of the HttpHeaders.contentLength property where a negative value means remove the header completely.

Mitigation

Users should not use HttpHeaders.add(...) to set content-length headers that are not allowed by the RFC.

Cheers,

Brian

Reply all

Reply to author

Forward

0 new messages