Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HttpHeaders should reject negative ContentLength values #32660

Closed
wants to merge 1 commit into from

Conversation

onjik
Copy link
Contributor

@onjik onjik commented Apr 17, 2024

Hello ! 👋

Found a code with a possible bug. here

	/**
	 * Set the length of the body in bytes, as specified by the
	 * {@code Content-Length} header.
	 */
	public void setContentLength(long contentLength) {
		set(CONTENT_LENGTH, Long.toString(contentLength));
	}

	/**
	 * Return the length of the body in bytes, as specified by the
	 * {@code Content-Length} header.
	 * <p>Returns -1 when the content-length is unknown.
	 */
	public long getContentLength() {
		String value = getFirst(CONTENT_LENGTH);
		return (value != null ? Long.parseLong(value) : -1);
	}

  1. Negative values should not be present in this header.

"Any Content-Length greater than or equal to zero is a valid value."
https://www.rfc-editor.org/rfc/rfc2616#section-14.13

  1. If the user accidentally puts in -1, a misunderstanding may occur as if there is no header by the getContentHeader().

example -> see this code.

	@Override
	protected ClientHttpResponse executeInternal(HttpHeaders headers) throws IOException {
		byte[] bytes = this.bufferedOutput.toByteArrayUnsafe();
		if (headers.getContentLength() < 0) {
			headers.setContentLength(bytes.length);
		}
		ClientHttpResponse result = executeInternal(headers, bytes);
		this.bufferedOutput.reset();
		return result;
	}

This code is checking for headers through a value of -1.


Let me know, If there's anything you need to change

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Apr 17, 2024
@jhoeller jhoeller added in: web Issues in web modules (web, webmvc, webflux, websocket) type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Apr 17, 2024
@jhoeller jhoeller added this to the 6.2.0-M2 milestone Apr 17, 2024
@onjik
Copy link
Contributor Author

onjik commented Apr 17, 2024

hi @jhoeller !
I add some test and force push
re-approve workflow please

thank you!!

@bclozel bclozel changed the title Fix HttpHeaders setContentLength method HttpHeaders should reject negative ContentLength values Apr 17, 2024
@bclozel bclozel self-assigned this Apr 17, 2024
@bclozel bclozel closed this in ec055da Apr 17, 2024
@bclozel
Copy link
Member

bclozel commented Apr 17, 2024

Thanks for your contribution @onjik ! This is now merged.

@onjik
Copy link
Contributor Author

onjik commented Apr 18, 2024

@bclozel Thank you so much!!
Thank you for your prompt answer also 😀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: bug A general bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants