Merge commit from fork

chrisvest · adwsingh · web-flow · commit 84530fa81e12 · 2026-05-04T11:37:32.000-07:00
* Bring Transfer-Encoding/Content-Length in line with RFC 9112

Motivation:
RFC 9112 makes it clear than sending an HTTP/1.1 message with both Transfer-Encoding and Content-Length is not allowed.

Modification:
Make HttpObjectDecoder throw TransferEncodingNotAllowedException if the HTTP version is not HTTP/1.1.

Make HttpObjectDecoder throw ContentLengthNotAllowedException by default if an HTTP/1.1 request contain both Transfer-Encoding and Content-Length headers.
Previously, RFC 7230 permitted us to just remove the Content-Length header, but this is now discouraged practice.

Result:
More up to date HTTP decoding behavior.

* Add overrides and documentation to revert to RFC 7230 behavior

* Add HttpDecoderConfig options and server Keep-Alive: close behavior

Co-authored-by: Adwait Kumar Singh &lt;adwsingh@amazon.com&gt;

---------

Co-authored-by: Adwait Kumar Singh &lt;adwsingh@amazon.com&gt;
diff --git a/codec-http/src/main/java/io/netty/handler/codec/http/ContentLengthNotAllowedException.java b/codec-http/src/main/java/io/netty/handler/codec/http/ContentLengthNotAllowedException.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright 2026 The Netty Project
+ *
+ * The Netty Project licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ *   https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+package io.netty.handler.codec.http;
+
+import io.netty.handler.codec.DecoderException;
+
+/**
+ * Thrown by {@link HttpObjectDecoder#handleTransferEncodingChunkedWithContentLength(HttpMessage)} by default.
+ * <p>
+ * The HTTP/1.1 specification, RFC 9112, disallow senders from including both {@code Tranfer-Encoding} and
+ * {@code Content-Length headers in the same message, and permits servers to reject such requests.
+ */
+public final class ContentLengthNotAllowedException extends DecoderException {
+    /**
+     * Create a new instance with the given message.
+     * @param message The exception message.
+     */
+    public ContentLengthNotAllowedException(String message) {
+        super(message);
+    }
+}
diff --git a/codec-http/src/main/java/io/netty/handler/codec/http/HttpDecoderConfig.java b/codec-http/src/main/java/io/netty/handler/codec/http/HttpDecoderConfig.java
@@ -35,6 +35,7 @@ public final class HttpDecoderConfig implements Cloneable {
     private int maxHeaderSize = HttpObjectDecoder.DEFAULT_MAX_HEADER_SIZE;
     private int initialBufferSize = HttpObjectDecoder.DEFAULT_INITIAL_BUFFER_SIZE;
     private boolean strictLineParsing = HttpObjectDecoder.DEFAULT_STRICT_LINE_PARSING;
+    private boolean useRfc9112TransferEncoding = HttpObjectDecoder.RFC9112_TRANSFER_ENCODING;
 
     public int getInitialBufferSize() {
         return initialBufferSize;
@@ -247,6 +248,28 @@ public HttpDecoderConfig setStrictLineParsing(boolean strictLineParsing) {
         return this;
     }
 
+    public boolean isUseRfc9112TransferEncoding() {
+        return useRfc9112TransferEncoding;
+    }
+
+    /**
+     * The RFC 9112 specification is more strict than RFC 7230 with regards to having {@code Transfer-Encoding} and
+     * {@code Content-Length} headers in the same HTTP message. Senders are now forbidden from including both headers
+     * in the same message, while servers may reject such requests. When this setting is set to {@code true}, which
+     * is the default, then such messages will be <em>rejected.</em>
+     * <p>
+     * When this setting is set to {@code false}, it restores the RFC 7230 behavior of instead removing any
+     * {@code Content-Length} headers when {@code Transfer-Encoding} headers are present.
+     * @param useRfc9112TransferEncoding Whether to reject messages with both {@code Transfer-Encoding} and
+     *                                   {@code Content-Length} headers.
+     * @return This decoder config.
+     * @see HttpObjectDecoder#handleTransferEncodingChunkedWithContentLength(HttpMessage)
+     */
+    public HttpDecoderConfig setUseRfc9112TransferEncoding(boolean useRfc9112TransferEncoding) {
+        this.useRfc9112TransferEncoding = useRfc9112TransferEncoding;
+        return this;
+    }
+
     @Override
     public HttpDecoderConfig clone() {
         try {
diff --git a/codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java b/codec-http/src/main/java/io/netty/handler/codec/http/HttpObjectDecoder.java
@@ -27,6 +27,7 @@
 import io.netty.util.ByteProcessor;
 import io.netty.util.internal.StringUtil;
 import io.netty.util.internal.SystemPropertyUtil;
+import io.netty.util.internal.ThrowableUtil;
 
 import java.util.List;
 import java.util.concurrent.atomic.AtomicBoolean;
@@ -154,6 +155,9 @@ public abstract class HttpObjectDecoder extends ByteToMessageDecoder {
     public static final boolean DEFAULT_ALLOW_DUPLICATE_CONTENT_LENGTHS = false;
     public static final boolean DEFAULT_STRICT_LINE_PARSING =
             SystemPropertyUtil.getBoolean("io.netty.handler.codec.http.defaultStrictLineParsing", true);
+    public static final String PROP_RFC9112_TRANSFER_ENCODING = "io.netty.handler.codec.http.rfc9112TransferEncoding";
+    public static final boolean RFC9112_TRANSFER_ENCODING =
+            SystemPropertyUtil.getBoolean(PROP_RFC9112_TRANSFER_ENCODING, true);
 
     private static final Runnable THROW_INVALID_CHUNK_EXTENSION = new Runnable() {
         @Override
@@ -168,6 +172,12 @@ public void run() {
             throw new InvalidLineSeparatorException();
         }
     };
+    private static final TransferEncodingNotAllowedException TRANSFER_ENCODING_NOT_ALLOWED =
+            ThrowableUtil.unknownStackTrace(
+                    new TransferEncodingNotAllowedException(
+                            "The Transfer-Encoding header is only allowed in HTTP/1.1 or newer"),
+                    HttpObjectDecoder.class,
+                    "readHeaders(ByteBuf)");
 
     private final int maxChunkSize;
     private final boolean chunkedSupported;
@@ -180,6 +190,7 @@ public void run() {
     protected final HttpHeadersFactory headersFactory;
     protected final HttpHeadersFactory trailersFactory;
     private final boolean allowDuplicateContentLengths;
+    private final boolean useRfc9112TransferEncoding;
     private final ByteBuf parserScratchBuffer;
     private final Runnable defaultStrictCRLFCheck;
     private final HeaderParser headerParser;
@@ -344,6 +355,7 @@ protected HttpObjectDecoder(HttpDecoderConfig config) {
         validateHeaders = isValidating(headersFactory);
         allowDuplicateContentLengths = config.isAllowDuplicateContentLengths();
         allowPartialChunks = config.isAllowPartialChunks();
+        useRfc9112TransferEncoding = config.isUseRfc9112TransferEncoding();
     }
 
     protected boolean isValidating(HttpHeadersFactory headersFactory) {
@@ -692,7 +704,7 @@ private void resetNow() {
         message = null;
         name = null;
         value = null;
-        contentLength = Long.MIN_VALUE;
+        clearContentLength();
         chunked = false;
         lineParser.reset();
         headerParser.reset();
@@ -825,6 +837,13 @@ private State readHeaders(ByteBuf buffer) {
             HttpUtil.setTransferEncodingChunked(message, false);
             return State.SKIP_CONTROL_CHARS;
         }
+        if (message.headers().contains(HttpHeaderNames.TRANSFER_ENCODING) &&
+                message.protocolVersion() != HttpVersion.HTTP_1_1 &&
+                useRfc9112TransferEncoding) {
+            // The Transfer-Encoding header is not permitted at all with HTTP protocols older than 1.1,
+            // and such requests must be rejected.
+            throw TRANSFER_ENCODING_NOT_ALLOWED;
+        }
         if (HttpUtil.isTransferEncodingChunked(message)) {
             this.chunked = true;
             if (!contentLengthFields.isEmpty() && message.protocolVersion() == HttpVersion.HTTP_1_1) {
@@ -848,27 +867,61 @@ private static boolean isLengthEqual(String lengthValue, long contentLength) {
 
     /**
      * Invoked when a message with both a "Transfer-Encoding: chunked" and a "Content-Length" header field is detected.
-     * The default behavior is to <i>remove</i> the Content-Length field, but this method could be overridden
-     * to change the behavior (to, e.g., throw an exception and produce an invalid message).
+     * The default behavior is to throw a {@link ContentLengthNotAllowedException} exception, but this method could
+     * be overridden to change the behavior (to, e.g., remove the {@code Content-Length} header value.
      * <p>
-     * See: https://tools.ietf.org/html/rfc7230#section-3.3.3
+     * See: <a href="https://www.rfc-editor.org/rfc/rfc9112.html#section-6.1-15">RFC 9112, Section 6.1-15</a>.
      * <pre>
-     *     If a message is received with both a Transfer-Encoding and a
-     *     Content-Length header field, the Transfer-Encoding overrides the
-     *     Content-Length.  Such a message might indicate an attempt to
-     *     perform request smuggling (Section 9.5) or response splitting
-     *     (Section 9.4) and ought to be handled as an error.  A sender MUST
-     *     remove the received Content-Length field prior to forwarding such
-     *     a message downstream.
+     *     A server MAY reject a request that contains both Content-Length and Transfer-Encoding
+     *     or process such a request in accordance with the Transfer-Encoding alone.
+     *     Regardless, the server MUST close the connection after responding to such a request
+     *     to avoid the potential attacks.
      * </pre>
-     * Also see:
-     * https://github.com/apache/tomcat/blob/b693d7c1981fa7f51e58bc8c8e72e3fe80b7b773/
-     * java/org/apache/coyote/http11/Http11Processor.java#L747-L755
-     * https://github.com/nginx/nginx/blob/0ad4393e30c119d250415cb769e3d8bc8dce5186/
-     * src/http/ngx_http_request.c#L1946-L1953
+     * Since Netty itself cannot track the request/response pairing, it cannot guarantee that the connection is closed
+     * immediately after the response is sent. As such, it is safer to immediately reject the request.
+     * <p>
+     * <strong>Note:</strong> RFC 7230 (the previous HTTP/1.1 RFC) allowed the {@code Content-Length} header to simply
+     * be ignored, in the presence of a {@code Transfer-Encoding} header, but this practice is now obsolete
+     * and considered unsafe.
+     * The RFC 7230 behavior can be restored in the following ways:
+     * <ul>
+     *     <li>
+     *         Process-wide, by setting the {@value PROP_RFC9112_TRANSFER_ENCODING} system property to {@code false}.
+     *     </li>
+     *     <li>
+     *         Configured for a specific decoder, by setting
+     *         {@link HttpDecoderConfig#setUseRfc9112TransferEncoding(boolean)} to {@code false}.
+     *     </li>
+     *     <li>
+     *         Hard-coded for a specific decoder, by overriding this method with an implementation like the following:
+     *         <pre>{@code
+     * @Override
+     * protected void handleTransferEncodingChunkedWithContentLength(HttpMessage message) {
+     *     clearContentLength();
+     *     message.headers().remove(HttpHeaderNames.CONTENT_LENGTH);
+     * }
+     *         }</pre>
+     *     </li>
+     * </ul>
+     * <p>
+     * <strong>Note:</strong> This method is only called for {@code HTTP/1.1} requests. Earlier HTTP protocol versions
+     * do not support the {@code Transfer-Encoding} header, and will reject requests that include it.
      */
+    @SuppressWarnings("unused")
     protected void handleTransferEncodingChunkedWithContentLength(HttpMessage message) {
-        message.headers().remove(HttpHeaderNames.CONTENT_LENGTH);
+        clearContentLength();
+        if (useRfc9112TransferEncoding) {
+            throw new ContentLengthNotAllowedException(
+                    "Content-Length are not allowed in HTTP/1.1 messages that contains a Transfer-Encoding header.");
+        } else {
+            message.headers().remove(HttpHeaderNames.CONTENT_LENGTH);
+            if (isDecodingRequest()) {
+                HttpUtil.setKeepAlive(message, false);
+            }
+        }
+    }
+
+    protected final void clearContentLength() {
         contentLength = Long.MIN_VALUE;
     }
 
diff --git a/codec-http/src/main/java/io/netty/handler/codec/http/HttpServerCodec.java b/codec-http/src/main/java/io/netty/handler/codec/http/HttpServerCodec.java
@@ -16,7 +16,9 @@
 package io.netty.handler.codec.http;
 
 import io.netty.buffer.ByteBuf;
+import io.netty.channel.ChannelFutureListener;
 import io.netty.channel.ChannelHandlerContext;
+import io.netty.channel.ChannelPromise;
 import io.netty.channel.CombinedChannelDuplexHandler;
 
 import java.util.ArrayDeque;
@@ -70,6 +72,11 @@ public final class HttpServerCodec extends CombinedChannelDuplexHandler<HttpRequ
     private int methodQueueSize;
     private Queue<Byte> methodOverflowQueue;
 
+    /**
+     * When set, the connection will be closed after the next response is written.
+     */
+    private boolean mustCloseAfterResponse;
+
     /**
      * Creates a new instance with the default decoder options
      * ({@code maxInitialLineLength (4096)}, {@code maxHeaderSize (8192)}, and
@@ -239,12 +246,27 @@ protected void decode(ChannelHandlerContext ctx, ByteBuf buffer, List<Object> ou
                 }
             }
         }
+
+        @Override
+        protected void handleTransferEncodingChunkedWithContentLength(HttpMessage message) {
+            super.handleTransferEncodingChunkedWithContentLength(message);
+            mustCloseAfterResponse = true;
+        }
     }
 
     private final class HttpServerResponseEncoder extends HttpResponseEncoder {
 
         private byte methodFlag;
 
+        @Override
+        public void write(ChannelHandlerContext ctx, Object msg, ChannelPromise promise) throws Exception {
+            if (mustCloseAfterResponse && msg instanceof LastHttpContent) {
+                mustCloseAfterResponse = false;
+                promise = promise.unvoid().addListener(ChannelFutureListener.CLOSE);
+            }
+            super.write(ctx, msg, promise);
+        }
+
         @Override
         protected void sanitizeHeadersBeforeEncode(HttpResponse msg, boolean isAlwaysEmpty) {
             if (!isAlwaysEmpty && methodFlag == METHOD_FLAG_CONNECT
diff --git a/codec-http/src/main/java/io/netty/handler/codec/http/TransferEncodingNotAllowedException.java b/codec-http/src/main/java/io/netty/handler/codec/http/TransferEncodingNotAllowedException.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright 2026 The Netty Project
+ *
+ * The Netty Project licenses this file to you under the Apache License,
+ * version 2.0 (the "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at:
+ *
+ *   https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ */
+package io.netty.handler.codec.http;
+
+import io.netty.handler.codec.DecoderException;
+
+/**
+ * Thrown by {@link HttpObjectDecoder} when an HTTP message uses a protocol version older than {@code HTTP/1.1}
+ * and includes an {@code Transfer-Encoding} header.
+ */
+public final class TransferEncodingNotAllowedException extends DecoderException {
+    /**
+     * Create a new instance with the given message.
+     * @param message The exception message.
+     */
+    public TransferEncodingNotAllowedException(String message) {
+        super(message);
+    }
+}
diff --git a/codec-http/src/test/java/io/netty/handler/codec/http/HttpInvalidMessageTest.java b/codec-http/src/test/java/io/netty/handler/codec/http/HttpInvalidMessageTest.java
@@ -91,7 +91,7 @@ public void testResponseWithBadHeader() throws Exception {
     @Test
     public void testBadChunk() throws Exception {
         EmbeddedChannel ch = new EmbeddedChannel(new HttpRequestDecoder());
-        ch.writeInbound(Unpooled.copiedBuffer("GET / HTTP/1.0\r\n", CharsetUtil.UTF_8));
+        ch.writeInbound(Unpooled.copiedBuffer("GET / HTTP/1.1\r\n", CharsetUtil.UTF_8));
         ch.writeInbound(Unpooled.copiedBuffer("Transfer-Encoding: chunked\r\n\r\n", CharsetUtil.UTF_8));
         ch.writeInbound(Unpooled.copiedBuffer("BAD_LENGTH\r\n", CharsetUtil.UTF_8));
 
diff --git a/codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java b/codec-http/src/test/java/io/netty/handler/codec/http/HttpRequestDecoderTest.java
@@ -702,7 +702,7 @@ private static void testContentLengthAndTransferEncodingHeadersWithInvalidSepara
     }
 
     @Test
-    public void testContentLengthHeaderAndChunked() {
+    public void testContentLengthHeaderAndChunkedHttp11() {
         String requestStr = "POST / HTTP/1.1\r\n" +
                 "Host: example.com\r\n" +
                 "Connection: close\r\n" +
@@ -712,15 +712,48 @@ public void testContentLengthHeaderAndChunked() {
         EmbeddedChannel channel = new EmbeddedChannel(new HttpRequestDecoder());
         assertTrue(channel.writeInbound(Unpooled.copiedBuffer(requestStr, CharsetUtil.US_ASCII)));
         HttpRequest request = channel.readInbound();
+        assertTrue(request.decoderResult().isFailure());
+        assertThat(request.decoderResult().cause()).isInstanceOf(ContentLengthNotAllowedException.class);
+        assertFalse(channel.finish());
+    }
+
+    @Test
+    public void testContentLengthHeaderAndChunkedHttp11RFC7230() {
+        String requestStr = "POST / HTTP/1.1\r\n" +
+                "Host: example.com\r\n" +
+                "Content-Length: 5\r\n" +
+                "Transfer-Encoding: chunked\r\n\r\n" +
+                "0\r\n\r\n";
+        EmbeddedChannel channel = new EmbeddedChannel(new HttpRequestDecoder(
+                new HttpDecoderConfig().setUseRfc9112TransferEncoding(false)));
+        assertTrue(channel.writeInbound(Unpooled.copiedBuffer(requestStr, CharsetUtil.US_ASCII)));
+        HttpRequest request = channel.readInbound();
         assertFalse(request.decoderResult().isFailure());
         assertTrue(request.headers().names().contains("Transfer-Encoding"));
         assertTrue(request.headers().contains("Transfer-Encoding", "chunked", false));
         assertFalse(request.headers().contains("Content-Length"));
+        assertEquals("close", request.headers().get("Connection"));
         LastHttpContent c = channel.readInbound();
         c.release();
         assertFalse(channel.finish());
     }
 
+    @Test
+    public void testContentLengthHeaderAndChunkedHttp10() {
+        String requestStr = "POST / HTTP/1.0\r\n" +
+                "Host: example.com\r\n" +
+                "Connection: close\r\n" +
+                "Content-Length: 5\r\n" +
+                "Transfer-Encoding: chunked\r\n\r\n" +
+                "0\r\n\r\n";
+        EmbeddedChannel channel = new EmbeddedChannel(new HttpRequestDecoder());
+        assertTrue(channel.writeInbound(Unpooled.copiedBuffer(requestStr, CharsetUtil.US_ASCII)));
+        HttpRequest request = channel.readInbound();
+        assertTrue(request.decoderResult().isFailure());
+        assertThat(request.decoderResult().cause()).isInstanceOf(TransferEncodingNotAllowedException.class);
+        assertFalse(channel.finish());
+    }
+
     @Test
     void mustRejectImproperlyTerminatedChunkExtensions() throws Exception {
         // See full explanation: https://w4ke.info/2025/06/18/funky-chunks.html
diff --git a/codec-http/src/test/java/io/netty/handler/codec/http/HttpResponseDecoderTest.java b/codec-http/src/test/java/io/netty/handler/codec/http/HttpResponseDecoderTest.java
diff --git a/codec-http/src/test/java/io/netty/handler/codec/http/HttpServerCodecTest.java b/codec-http/src/test/java/io/netty/handler/codec/http/HttpServerCodecTest.java
diff --git a/codec-http/src/test/java/io/netty/handler/codec/http/HttpServerKeepAliveHandlerTest.java b/codec-http/src/test/java/io/netty/handler/codec/http/HttpServerKeepAliveHandlerTest.java
