Comments (8)
I don't understand what you think the issue is.
chunked, gzip may look meaningless but it is possible and its behaviour is well described.
Yes, its behaviour is described:
If a Transfer-Encoding header field is present in a request and the chunked transfer coding is not the final encoding, the message body length cannot be determined reliably; the server MUST respond with the 400 (Bad Request) status code and then close the connection.
from http-parser.
@sam-github, this exception is assigned for the message body length cannot be determined reliably
+ chunked transfer coding is not the final encoding
. It means that you can't receive HTTP header with Transfer-Encoding: chunked, gzip
and without Content-Length
.
But if Content-Length
exists than Transfer-Encoding: chunked, gzip
is valid header.
from http-parser.
From the very same 3.3.3:
If a message is received with both a Transfer-Encoding and a
Content-Length header field, the Transfer-Encoding overrides the
Content-Length. Such a message might indicate an attempt to
perform request smuggling (Section 9.5) or response splitting
(Section 9.4) and **ought to be handled as an error**.
In other words, Transfer-Encoding cannot be present together with Content-Length.
It must be said that the presence of both headers leads to quite practical request smuggling attacks as was demonstrated by security researchers.
from http-parser.
chunked
encoder/decoder should be shipped outside http parser as separate library. It should be used by end-user together with gzip, brotli, zstd, compress encoders/decoders.
This simply can't work as the presence of chunked
TE alters protocol in a way that cannot be offloaded to a 3rd party module.
from http-parser.
Hello @indutny, I can't agree with you, please read carefully.
-
If a Transfer-Encoding header field is present in a response and the chunked transfer coding is not the final encoding, the message body length is determined by reading the connection until it is closed by the server.
-
If a Transfer-Encoding header field is present in a request and the chunked transfer coding is not the final encoding, the message body length cannot be determined reliably; the server MUST respond with the 400 (Bad Request) status code and then close the connection.
-
If a message is received with both a Transfer-Encoding and a Content-Length header field, the Transfer-Encoding overrides the Content-Length. Such a message might indicate an attempt to perform request smuggling.
3 exception is related to request only, response just reads as much as possible data from server and has no possible security exceptions.
Please read RFC 7230 - 3.3.1 Transfer-Encoding for clarification too.
-
If any transfer coding other than chunked is applied to a request payload body, the sender MUST apply chunked as the final transfer coding to ensure that the message is properly framed.
-
If any transfer coding other than chunked is applied to a response payload body, the sender MUST either apply chunked as the final transfer coding or terminate the message by closing the connection.
This simply can't work as the presence of chunked TE alters protocol in a way that cannot be offloaded to a 3rd party module.
I see no collisions. Transfer-Encoding: chunked, gzip
means just gzip after chunked. User are reading data, than applies gzip
and than chunked
.
from http-parser.
I was wrong about Content-Length
: it can't be used to identify the length of body if Transfer-Encoding
was used, this usage is forbidden. But responses without Content-Length
can have Transfer-Encoding
with chunked
in any position with other encodings.
from http-parser.
Well, FWIW it is allowed for responses:
Lines 1904 to 1913 in 5c5b3ac
from http-parser.
Parser doesn't depend on gzip
, brotli
, etc it can't decode chunked for user, because there is another encoding on the top of chunked. User have to handle chunked by himself anyway.
from http-parser.
Related Issues (20)
- After upgrade it stoped working HOT 10
- Handle URLs with a colon after host but no port HOT 8
- 2.9.3 breaks ABI compatibility with 2.9.2 with no corresponding SONAME change HOT 6
- An http-parser update broke etherpad HOT 4
- Suggestion for making F_SKIPBODY more useful
- armv7hl: Assertion `sizeof(http_parser) == 4 + 4 + 8 + 2 + 2 + 4 + sizeof(void *)' failed HOT 5
- Documentation update request: (0 if no Content-Length header) is incorrect HOT 2
- Fix -Wsign-compare warning
- Request with Transfer-Encoding: chunked and Content-Length is valid per RFC, but rejected with HPE_UNEXPECTED_CONTENT_LENGTH HOT 18
- Parse Error: Invalid header value char HOT 2
- Maintainer notice
- Have "Invalid header value char" error message more explicit HOT 1
- Test for the size of struct http_parser fails on 32 bit systems where there is padding/alignment for void* HOT 6
- libhttp-parser-ext.bundle, 5): no suitable image found HOT 4
- if I put two http request buf, function http_context_parser will crash,why???
- Examples HOT 6
- Rename primary branch to main HOT 2
- Incremental builds with no changes still trigger refactoring
- https://github.com/nodejs/help.wiki.git
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from http-parser.