Description
According https://tools.ietf.org/html/rfc7540#section-8.1.2.6 A request or response is also malformed if the value of a content-length header field does not equal the sum of the DATA frame payload lengths that form the body. and Clients MUST NOT accept a malformed response. Note that these requirements are intended to protect against several types of common attacks against HTTP; they are deliberately strict because being permissive can expose implementations to these vulnerabilities.
When my client receives response with invalid 'content-length' header it sends back RST_STREAM (according to nghttp2_session_on_data_received implementation) and nghttp2_on_stream_close_callback is called without errors.
I expected that stream should be closed with some kind of error (e.g. with NGHTTP2_PROTOCOL_ERROR).
Ways to reproduce:
Add sending invalid header 'content-length' to examples/libevent-server.c and make request to libevent-server with libevent-client.
Question
Is current behaviour expected? Should I validate content-length header myself in my http2 client?
Description
According https://tools.ietf.org/html/rfc7540#section-8.1.2.6
A request or response is also malformed if the value of a content-length header field does not equal the sum of the DATA frame payload lengths that form the body.andClients MUST NOT accept a malformed response. Note that these requirements are intended to protect against several types of common attacks against HTTP; they are deliberately strict because being permissive can expose implementations to these vulnerabilities.When my client receives response with invalid 'content-length' header it sends back
RST_STREAM(according tonghttp2_session_on_data_receivedimplementation) andnghttp2_on_stream_close_callbackis called without errors.I expected that stream should be closed with some kind of error (e.g. with
NGHTTP2_PROTOCOL_ERROR).Ways to reproduce:
Add sending invalid header 'content-length' to
examples/libevent-server.cand make request tolibevent-serverwithlibevent-client.Question
Is current behaviour expected? Should I validate
content-lengthheader myself in my http2 client?