[go] net/http/internal/http2: reject non-identical duplicate Content-Length headers

0 views
Skip to first unread message

Nicholas Husin (Gerrit)

unread,
Jun 8, 2026, 5:06:03 PMJun 8
to goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Nicholas Husin, Damien Neil, golang...@luci-project-accounts.iam.gserviceaccount.com, golang-co...@googlegroups.com

Nicholas Husin submitted the change

Change information

Commit message:
net/http/internal/http2: reject non-identical duplicate Content-Length headers

Per RFC 9112:

"If a message is received without Transfer-Encoding and with an invalid
Content-Length header field, then the message framing is invalid and the
recipient MUST treat it as an unrecoverable error, unless the field
value can be successfully parsed as a comma-separated list (Section
5.6.1 of [HTTP]), all values in the list are valid, and all values in
the list are the same (in which case, the message is processed with that
single value used as the Content-Length field value)."

Therefore, similar to HTTP/1 server, ensure that HTTP/2 server rejects
requests with duplicate Content-Length header fields that have different
values. Unlike HTTP/1, we do not consider something like "123", and "
123" (with whitespace) to be the same value, since HPACK in HTTP/2 is
strict about preceding and trailing whitespaces.

Also note that we still silently allow invalid Content-Length value
(defaulting to 0 if given "-3" for example). This is a pre-existing
behavior in our implementation.

Fixes #78746
Change-Id: I3904295a51f9dc4e67061c46f398762a6a6a6964
Reviewed-by: Damien Neil <dn...@google.com>
Reviewed-by: Nicholas Husin <hu...@google.com>
Files:
  • M src/net/http/internal/http2/server.go
  • M src/net/http/internal/http2/server_test.go
Change size: M
Delta: 2 files changed, 68 insertions(+), 2 deletions(-)
Branch: refs/heads/master
Submit Requirements:
Open in Gerrit
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: merged
Gerrit-Project: go
Gerrit-Branch: master
Gerrit-Change-Id: I3904295a51f9dc4e67061c46f398762a6a6a6964
Gerrit-Change-Number: 787621
Gerrit-PatchSet: 2
Gerrit-Owner: Nicholas Husin <n...@golang.org>
Gerrit-Reviewer: Damien Neil <dn...@google.com>
Gerrit-Reviewer: Nicholas Husin <hu...@google.com>
Gerrit-Reviewer: Nicholas Husin <n...@golang.org>
open
diffy
satisfied_requirement
Reply all
Reply to author
Forward
0 new messages