Change
Generate a HttpException when HttpHeaders.add(...) encounters a negative or hexadecimal encoded content-length. Currently both are acceptable.
Also, change non-numeric input to raise a HttpException rather than a FormatException so that a consistent Exception is thrown.
Rationale
RFC 7230 says that the production for content-length is:
So we are currently accepting invalid input that might cause clients/servers to misbehave.
The possibility of HttpHeaders.add(...) throwing FormatException is undocumented so (partially) consolidate to HttpException (which is what is what is thrown for most parse failures).
Impact
This change does not break any Google tests.
Note that this does not change the semantics of the HttpHeaders.contentLength property where a negative value means remove the header completely.
Mitigation
Users should not use HttpHeaders.add(...) to set content-length headers that are not allowed by the RFC.
Change
Generate a
HttpExceptionwhenHttpHeaders.add(...)encounters a negative or hexadecimal encodedcontent-length. Currently both are acceptable.Also, change non-numeric input to raise a
HttpExceptionrather than aFormatExceptionso that a consistentExceptionis thrown.Rationale
RFC 7230 says that the production for
content-lengthis:So we are currently accepting invalid input that might cause clients/servers to misbehave.
The possibility of
HttpHeaders.add(...)throwingFormatExceptionis undocumented so (partially) consolidate toHttpException(which is what is what is thrown for most parse failures).Impact
This change does not break any Google tests.
Note that this does not change the semantics of the
HttpHeaders.contentLengthproperty where a negative value means remove the header completely.Mitigation
Users should not use
HttpHeaders.add(...)to setcontent-lengthheaders that are not allowed by the RFC.