NOTE: This change has already landed - I accidentally posted this notification to the wrong group.
Please let me know if this will have some unexpected impact.
Change
Generate a HttpException when HttpHeaders.add(...) encounters a negative or hexadecimal encoded content-length. Currently both are acceptable.
Also, change non-numeric input to raise a HttpException rather than a FormatException so that a consistent Exception is thrown.
Rationale
RFC 7230 says that the production for content-length is:
So we are currently accepting invalid input that might cause clients/servers to misbehave.
The possibility of HttpHeaders.add(...) throwing FormatException is undocumented so (partially) consolidate to HttpException (which is what is what is thrown for most parse failures).
Impact
This change does not break any Google tests.
Note that this does not change the semantics of the HttpHeaders.contentLength property where a negative value means remove the header completely.
Mitigation
Users should not use HttpHeaders.add(...) to set content-length headers that are not allowed by the RFC.
Cheers,
Brian
