Skip to content
This repository was archived by the owner on Dec 18, 2018. It is now read-only.

Reject requests that don't set Content-Length or Transfer-Encoding: chunked #1130

Closed
cesarblum opened this issue Sep 28, 2016 · 5 comments
Closed

Reject requests that don't set Content-Length or Transfer-Encoding: chunked #1130

cesarblum opened this issue Sep 28, 2016 · 5 comments
Assignees
@cesarblum
Labels
3 - Done enhancement
Milestone
1.1.0

Comments

@cesarblum
Copy link
Contributor

Requests containing a body (POST, PUT, CONNECT, PATCH, OPTIONS) should be rejected with a 411 Length Required if they don't include a Content-Length or Transfer-Encoding: chunked header.
@muratg muratg added this to the 1.1.0 milestone Oct 31, 2016
@cesarblum
Copy link
Contributor Author

cesarblum commented Nov 2, 2016
edited
Loading

I was re-reading the spec and it says this:

The presence of a message body in a request is signaled by a
Content-Length or Transfer-Encoding header field.  Request message
framing is independent of method semantics, even if the method does
not define any use for a message body.

https://tools.ietf.org/html/rfc7230#section-3.3

Which means there's no "hard rule" for what methods can or cannot contain a body. We could be prescriptive here and determine that POST and some other methods must send Transfer-Encoding or Content-Length, but that seems unnecessary.

RFC 7231 actually helps here. For GET, it says

A payload within a GET request message has no defined semantics;
sending a payload body on a GET request might cause some existing
implementations to reject the request.

https://tools.ietf.org/html/rfc7231#section-4.3.1

There are similar statements for HEAD, DELETE and CONNECT. It explicitly forbids a message body in TRACE requests. OPTIONS is the least clear one - the spec mentions Content-Type but nothing about requiring Content-Length: 0 if there's no payload body.

We already somewhat guard against messages that don't specify a content length by assuming 0. This means things could silently fail or behave strangely for some apps. Deciding on a set of methods and sending a 411 is more explicit. But then the spec doesn't help a lot in deciding which methods to treat like that.

@cesarblum
Copy link
Contributor Author

I'm thinking of making this change for POST and PUT only, leaving OPTIONS out (I'm not familiar with how clients use OPTIONS).

@cesarblum
Copy link
Contributor Author

This seems to be what IIS does btw. I know lighttpd requires Content-Length on POST too (and I assume PUT). I'll check nginx.

@cesarblum
Copy link
Contributor Author

Same for nginx.

cesarblum pushed a commit that referenced this issue Nov 3, 2016
Reject POST and PUT requests with no Content-Length or Transfer-Encod…
fdeea49 
…ing (#1130).
@cesarblum cesarblum mentioned this issue Nov 3, 2016
Merged
cesarblum pushed a commit that referenced this issue Nov 4, 2016
Reject POST and PUT requests with no Content-Length or Transfer-Encod…
9f82daa 
…ing (#1130).
@muratg
Copy link
Contributor

muratg commented Nov 4, 2016

If we can't get this in soon, let's move it to 1.2.0.

cesarblum pushed a commit that referenced this issue Nov 5, 2016
Reject POST and PUT requests with no Content-Length or Transfer-Encod…
a1c5987 
…ing (#1130).
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@cesarblum cesarblum

Labels
3 - Done enhancement
Projects
None yet
Milestone
1.1.0
Development

No branches or pull requests
2 participants
@cesarblum @muratg