From: Charlotte Brandhorst-Satzkorn Date: Sat, 23 Oct 2021 02:46:46 +0000 (-0400) Subject: net/http: correct Content-Length parsing for js/wasm X-Git-Tag: go1.18beta1~780 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=52b10ab79451df78797b87e40eb9371127bad260;p=gostls13.git net/http: correct Content-Length parsing for js/wasm The Content-Length was incorrectly set to 0 for ill-formed and invalid values. In these cases, return an error. If the Content-Length header was omitted, it was incorrectly set to 0. In this case, set the Content-Length value to -1. Fixes #49108 Change-Id: I24fe9a31ed5b6ddb53f2b2bd10f2c84e428823e3 Reviewed-on: https://go-review.googlesource.com/c/go/+/358134 Run-TryBot: Johan Brandhorst-Satzkorn Run-TryBot: Brad Fitzpatrick TryBot-Result: Go Bot Reviewed-by: Brad Fitzpatrick Trust: Brad Fitzpatrick Trust: David Crawshaw --- diff --git a/src/net/http/roundtrip_js.go b/src/net/http/roundtrip_js.go index 74c83a9172..362dbcbdde 100644 --- a/src/net/http/roundtrip_js.go +++ b/src/net/http/roundtrip_js.go @@ -131,8 +131,24 @@ func (t *Transport) RoundTrip(req *Request) (*Response, error) { } contentLength := int64(0) - if cl, err := strconv.ParseInt(header.Get("Content-Length"), 10, 64); err == nil { + clHeader := header.Get("Content-Length") + switch { + case clHeader != "": + cl, err := strconv.ParseInt(clHeader, 10, 64) + if err != nil { + errCh <- fmt.Errorf("net/http: ill-formed Content-Length header: %v", err) + return nil + } + if cl < 0 { + // Content-Length values less than 0 are invalid. + // See: https://datatracker.ietf.org/doc/html/rfc2616/#section-14.13 + errCh <- fmt.Errorf("net/http: invalid Content-Length header: %q", clHeader) + return nil + } contentLength = cl + default: + // If the response length is not declared, set it to -1. + contentLength = -1 } b := result.Get("body")