Closed
Description
What version of Go are you using (go version)?
$ go version
go version devel go1.22-977e23a707 Mon Jul 31 19:10:40 2023 +0000 linux/amd64Does this issue reproduce with the latest release?
Yes.
What operating system and processor architecture are you using (go env)?
$ go env
GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/root/.cache/go-build'
GOENV='/root/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/root/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/root/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/app/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/app/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='devel go1.22-977e23a707 Mon Jul 31 19:10:40 2023 +0000'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='0'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -fno-caret-diagnostics -Qunused-arguments -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2136977550=/tmp/go-build -gno-record-gcc-switches'What did you do?
- Started an HTTP server using
net/http. - Sent it the following request:
GET / HTTP/1.1\r\n
Host: whatever\r\n
Content-Length: \r\n
Test: test\r\n
\r\n
What did you expect to see?
A 400 response informing me that the request is invalid beacuse its Content-Length header does not conform to the grammar rule from the relevant RFCs.
Section 8.6 of RFC 9110 defines the acceptable values in a Content-Length field value as follows:
Content-Length = 1*DIGIT
DIGIT is defined as follows in RFC 5234:
DIGIT = %x30-39
What did you see instead?
A 200 response. The server interpreted the empty Content-Length header as though it were Content-Length: 0. This is potentially of use in a request smuggling exploit chain, because the semantics of an empty CL header are not defined, as far as I am aware.
Suggested fix
AIOHTTP, Apache httpd, Boost::Beast, Gunicorn, H2O, IIS, jetty, lighttpd, NGINX, Node.js, Apache Tomcat, and Tornado all reject requests containing empty CL headers. I suggest that net/http do the same.