Skip to content

Loose validation of the Content-Length values #18921

New issue
New issue
Closed
Closed
Loose validation of the Content-Length values#18921
Labels
HTTP
@loskutov

Description

@loskutov
loskutov
opened on Oct 7, 2025

I did this

% curl -v 'http://wpt.live/fetch/content-length/resources/content-length.py?length=Content-Length:%201InvalidValue,%20AlsoInvalidValue%0D%0AContent-Length:%2042AnotherBadValue'
* Host wpt.live:80 was resolved.
* IPv6: (none)
* IPv4: 34.41.40.10
*   Trying 34.41.40.10:80...
* Connected to wpt.live (34.41.40.10) port 80
> GET /fetch/content-length/resources/content-length.py?length=Content-Length:%201InvalidValue,%20AlsoInvalidValue%0D%0AContent-Length:%2042AnotherBadValue HTTP/1.1
> Host: wpt.live
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 200 OK
< Content-Type: text/plain;charset=UTF-8
< Connection: close
< Content-Length: 1InvalidValue, AlsoInvalidValue
< Content-Length: 42AnotherBadValue
< 
* Closing connection
Fact: this is really forty-two bytes long.

Note the multiple "Content-Length" values:

< Content-Length: 1InvalidValue, AlsoInvalidValue
< Content-Length: 42AnotherBadValue

I expected the following

As per e.g. https://fetch.spec.whatwg.org/#header-list-extract-a-length, in case of multiple Content-Length values (treating the header values as comma-separated lists), I'd expect an error message unless all of them are the same and valid; however, the current implementation seems to only take the first occurrence in the last Content-Length header into account, ignoring the non-number suffix (if any) and all other values (as long as curlx_str_numblanks returns STRE_OK)

curl/libcurl version

curl 8.7.1 (x86_64-apple-darwin25.0) libcurl/8.7.1 (SecureTransport) LibreSSL/3.3.6 zlib/1.2.12 nghttp2/1.66.0
Release-Date: 2024-03-27
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM SPNEGO SSL threadsafe UnixSockets

However, last commit as of now (38ab421) also affected.

operating system

Not OS-dependent; however,

Darwin My-MacBook-Air.local 25.0.0 Darwin Kernel Version 25.0.0: Wed Sep 17 21:41:39 PDT 2025; root:xnu-12377.1.9~141/RELEASE_ARM64_T8103 arm64

Metadata

Metadata

Assignees

No one assigned

    Labels

    HTTP

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions