HTTP Response should not contain both Transfer-Encoding and Content-Length headers [SPR-15212]

[spring-projects-issues]

Stefanie Loiseleur opened SPR-15212 and commented

Dear Spring Framework Team,

I'm currently building an MvcEndpoint in a SpringBoot Application to return the result of an Http GET call to another service. This service returns a JSON content, which has the header Transfer-Encoding valued to "chunked".

My endpoint is then consumed by a Node.js server. This Node.js server returns a parse error with code HPE_UNEXPECTED_CONTENT_LENGTH when consuming the endpoint, because the response headers contains both Transfer-encoding:chunked and Content-Length values.

This is considered has an error as specified in RFC 7230 section 3.3.3.3 :

??If a message is received with both a Transfer-Encoding and a Content-Length header field, the Transfer-Encoding overrides the Content-Length. Such a message might indicate an attempt to perform request smuggling (Section 9.5) or response splitting (Section 9.4) and ought to be handled as an error. A sender MUST remove the received Content-Length field prior to forwarding such a message downstream.??

https://tools.ietf.org/html/rfc7230#section-3.3.3

This header is added in org.springframework.http.converter.AbstractHttpMessageConverter.addDefaultHeaders at line 259 for the 4.3.3.RELEASE I'm using.

I think the Content-Length header should be added only if the Transfer-Encoding header is not already set.

Do you think AbstractHttpMessageConverter should be updated ?

Thank you all.

---

Affects: 4.3.3, 4.3.6

Issue Links:

• Make @ResponseBody method return type available to message converters [SPR-12811] #17408 Make @ResponseBody method return type available to message converters
• resttemplate multipart post with InputStreamResource not working [SPR-13571] #18147 resttemplate multipart post with InputStreamResource not working
• Spring adding 'chunked' transfer encoding even if this header already exists [SPR-16985] #21523 Spring adding 'chunked' transfer encoding even if this header already exists
• HEAD response has "Content-Length: 0" for @RestController @GetMapping methods [SPR-15261] #19826 HEAD response has "Content-Length: 0" for @RestController @GetMapping methods

Referenced from: commits 9b3131f, d5daa8e

[spring-projects-issues]

Juergen Hoeller commented

Good point. I've revised AbstractHttpMessageConverter.addDefaultHeaders to only set the Content-Length header if no Transfer-Encoding header was set before.