The Content-Length was incorrectly set to 0 for ill-formed and invalid
values. In these cases, return an error.
If the Content-Length header was omitted, it was incorrectly set to 0.
In this case, set the Content-Length value to -1.
Fixes #49108
Change-Id: I24fe9a31ed5b6ddb53f2b2bd10f2c84e428823e3
Reviewed-on: https://go-review.googlesource.com/c/go/+/358134
Run-TryBot: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Trust: Brad Fitzpatrick <bradfitz@golang.org>
Trust: David Crawshaw <crawshaw@golang.org>
}
contentLength := int64(0)
- if cl, err := strconv.ParseInt(header.Get("Content-Length"), 10, 64); err == nil {
+ clHeader := header.Get("Content-Length")
+ switch {
+ case clHeader != "":
+ cl, err := strconv.ParseInt(clHeader, 10, 64)
+ if err != nil {
+ errCh <- fmt.Errorf("net/http: ill-formed Content-Length header: %v", err)
+ return nil
+ }
+ if cl < 0 {
+ // Content-Length values less than 0 are invalid.
+ // See: https://datatracker.ietf.org/doc/html/rfc2616/#section-14.13
+ errCh <- fmt.Errorf("net/http: invalid Content-Length header: %q", clHeader)
+ return nil
+ }
contentLength = cl
+ default:
+ // If the response length is not declared, set it to -1.
+ contentLength = -1
}
b := result.Get("body")