Skip to content

HttpHeaders: reject Content-Length with leading + or - sign#67635

Open
DeagleGross wants to merge 6 commits into
dotnet:mainfrom
DeagleGross:deaglegross-sturdy-couscous
Open

HttpHeaders: reject Content-Length with leading + or - sign#67635
DeagleGross wants to merge 6 commits into
dotnet:mainfrom
DeagleGross:deaglegross-sturdy-couscous

Conversation

@DeagleGross

Copy link
Copy Markdown
Member

Per RFC 9110 8.6 Content-Length is 1*DIGIT, but Utf8Parser.TryParse() accepts leading + or -, which accepts values such as +1. Added a guard to dissallow leading + or -.

RFC 9112 section 6.2 defines Content-Length as 1*DIGIT. The HTTP/1.1 request header parser used Utf8Parser.TryParse<long>, which accepts a leading '+' or '-' sign. Values like '+123' or '-0' were therefore accepted (parsed as 123 and 0) instead of being rejected with 400 Bad Request.

The custom-encoding path used long.TryParse with NumberStyles.Integer, which also allows a leading sign, so it had the same defect.

Add a leading-digit check on the byte path and switch the custom-encoding path to NumberStyles.None. Extend BadRequestIfContentLengthInvalid to cover '+1', '+0', '-0'.
@DeagleGross DeagleGross self-assigned this Jul 7, 2026
Copilot AI review requested due to automatic review settings July 7, 2026 12:37
@DeagleGross DeagleGross added the area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions label Jul 7, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens Kestrel’s Content-Length parsing to align with RFC 9110 §8.6 (Content-Length = 1*DIGIT) by rejecting values that Utf8Parser.TryParse would otherwise accept due to leading sign handling.

Changes:

  • Reject Content-Length values that start with + or - in the fast-path byte parsing.
  • Tighten the custom-encoding parsing path by switching from NumberStyles.Integer to NumberStyles.None to disallow signs/whitespace.
  • Extend functional tests to cover +1, +0, and -0 invalid values.
Show a summary per file
File Description
src/Servers/Kestrel/test/InMemory.FunctionalTests/BadHttpRequestTests.cs Adds coverage for signed Content-Length values that must now be rejected.
src/Servers/Kestrel/Core/src/Internal/Http/HttpRequestHeaders.cs Adds leading-sign rejection in the byte parsing path and tightens the custom-encoding parsing style.

Copilot's findings

  • Files reviewed: 2/2 changed files
  • Comments generated: 1

Comment thread src/Servers/Kestrel/Core/src/Internal/Http/HttpRequestHeaders.cs
Comment thread src/Servers/Kestrel/Core/src/Internal/Http/HttpRequestHeaders.cs
Comment thread src/Servers/Kestrel/Core/src/Internal/Http/HttpRequestHeaders.cs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants