Skip to content

Disallow negative or hexadecimal content-length headers. #49305

New issue
New issue
Closed
Closed
Disallow negative or hexadecimal content-length headers.#49305
Assignees
brianquinlan
Labels
area-core-librarySDK core library issues (core, async, ...); use area-vm or area-web for platform specific libraries.breaking-change-requestThis tracks requests for feedback on breaking changesenhancement-breaking-changeAn enhancement which is breaking.library-_http
Milestone
December Release (Dart 2.19)
@brianquinlan

Description

@brianquinlan
brianquinlan
opened on Jun 21, 2022

Change

Generate a HttpException when HttpHeaders.add(...) encounters a negative or hexadecimal encoded content-length. Currently both are acceptable.

Also, change non-numeric input to raise a HttpException rather than a FormatException so that a consistent Exception is thrown.

Rationale

RFC 7230 says that the production for content-length is:

     Content-Length = 1*DIGIT

So we are currently accepting invalid input that might cause clients/servers to misbehave.

The possibility of HttpHeaders.add(...) throwing FormatException is undocumented so (partially) consolidate to HttpException (which is what is what is thrown for most parse failures).

Impact

This change does not break any Google tests.

Note that this does not change the semantics of the HttpHeaders.contentLength property where a negative value means remove the header completely.

Mitigation

Users should not use HttpHeaders.add(...) to set content-length headers that are not allowed by the RFC.

Metadata

Metadata

Assignees

Labels

area-core-librarySDK core library issues (core, async, ...); use area-vm or area-web for platform specific libraries.breaking-change-requestThis tracks requests for feedback on breaking changesenhancement-breaking-changeAn enhancement which is breaking.library-_http

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions