chenBright opened a new pull request, #2518: URL: https://github.com/apache/brpc/pull/2518
### What problem does this PR solve? Issue Number: Problem Summary: 1. [RFC 7230 3.3.3](https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3)规范:Content-Length和Transfer-Encoding: chunked不能一起使用,或者忽略Content-Length。目前brpc使用的http-parser版本比较旧,允许Content-Length和Transfer-Encoding: chunked一起使用,存在请求走私(Request Smuggling)和响应拆分(response splitting)的风险。 2. [RFC 7233 3.3.2](https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.2)规范:有Transfer-Encoding的时候,发送者不能发送Content-Length。 ### What is changed and the side effects? Changed: 1. 引入最新[http-parser](https://github.com/nodejs/http-parser/blob/main/http_parser.c#L1808)中Content-Length和Transfer-Encoding相关的代码。解析http包时,默认拒绝同时存在Content-Length和Transfer-Encoding的http包。如果打开开关且Transfer-Encoding的最后一个编码是chunked时,则移除Content-Length,接受该http包。 2. 组http包时,有Transfer-Encoding,则移除且不添加Content-Length。 Side effects: - Performance effects(性能影响): - Breaking backward compatibility(向后兼容性): --- ### Check List: - Please make sure your changes are compilable(请确保你的更改可以通过编译). - When providing us with a new feature, it is best to add related tests(如果你向我们增加一个新的功能, 请添加相关测试). - Please follow [Contributor Covenant Code of Conduct](../../master/CODE_OF_CONDUCT.md).(请遵循贡献者准则). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@brpc.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@brpc.apache.org For additional commands, e-mail: dev-h...@brpc.apache.org
