-
Notifications
You must be signed in to change notification settings - Fork 38.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Spring adding 'chunked' transfer encoding even if this header already exists [SPR-16985] #21523
Comments
Juergen Hoeller commented From a quick review, I can't find any place where we explicitly set the "Transfer-Encoding" header in Spring's processing, in particular not to "chunked". Does this maybe come through the HTTP server or some HTTP client library here? Brian Clozel, assigning this to you for further consideration... |
Pradeep Gadi commented I have added a filter and tested the same, this issue is not because of the Httpserver. I am not sure how to figure it out whether the issue is with HTTP client or Spring. Could you please provide me any suggestion on how to proceed with this issue. |
Brian Clozel commented Hi Pradeep Gadi, Could you provide us with a sample application? I can't seem to reproduce this at the moment. |
We stumbled upon this just yesterday and opened an issue against traefik because of this (traefik/traefik#8060). Basically what we do is using a Spring Boot application as a proxy, as we don't want to deal with CORS and Same-Origin-Policy and all that stuff. Thankfully, our test case for this is rather simple:
Now if we curl that controller:
As you can see we have Transfer-Encoding present twice, which breaks traefik (by breaking golang's net/http it seems: https://github.com/golang/go/blob/59bfc18e3441d9cd0b1b2f302935403bbf52ac8b/src/net/http/transfer.go#L634-L637) We are using Spring Boot 2.4.4 / Spring 5.3.5 |
Hi @BSchwetzel In the meantime, we received out-of-band feedback on issues similar to yours. I'll try to summarize our findings in this comment. As far as I understand, golang introduced this restriction in the http layer to prevent HTTP smuggling attacks - but this can only apply to requests received by servers/proxies, not responses sent by servers. So while this change is enforcing a new restriction, it's not meant to protect you here. This change not only applies to traefik, but to many proxies/servers using golang. We've only found that problem in Spring applications with the exact use case you're describing: a controller uses an HTTP client to retrieve a response and returns it as the response of the controller handler method without any modification. We consider this use case as problematic for several reasons:
So while sending duplicate Now we've had similar discussions with developers using the same usage pattern (controllers proxying requests). The chunked header value is a symptom of a much bigger problem: copying headers in and out can cause many HTTP and security issues. HTTP headers can carry information about the state of the connection, security restrictions or options negotiated between client and server. This implementation is a typical example of possible HTTP smuggling vulnerabilities and I'd encourage you to consider this in your application. At a minimum, headers should be properly filtered (in and out). I understand that we're probably looking at a very restricted use case, but implementing a general purpose proxy/gateway is not easy and there are many more problems with that. Maybe Spring Cloud Gateway can be helpful. |
We are also seeing same issue, "Transfer-Encoding: chunked" in response and using following SPring boot version 2.5.2.
|
@anwarmd this issue is about getting duplicate |
@bclozel Can you please suggest me on
|
@bclozel Is a received For most usecases creating a new ResponseEntity should solve the issue (when original Headers are not required at all): |
@Hollerweger Proxies do more than just copying HTTP responses. There are many things to consider, like compression, security headers, caching, content-neogtiation, Forward headers and more. So in general, I don't think that they're meant to be returned directly from a Controller. |
Should this issue be reopened? It's still happening for us with Spring 2.7.2 |
@NameFILIP we have assessed that this is not a bug in Spring. See #21523 (comment) If this does not work for you, please create a new issue with a minimal sample application showing the problem. |
i found prepareResponse() function in tomcat-embed-core package, Http11Processor.java file, |
@xunzhaoderen Tomcat is responsible for setting that header because it knows how the body is being written. As said in my previous comment, application components are not in a position to set this header. Guarding against a possible duplicate in Tomcat would not help - maybe the response is not chunked at all and writing this header is invalid anyway? If your application is adding this header, this should be fixed in your application directly. |
the response chucked header is passed from another http interface, can I directly filter transfer-encoding header ? |
completely wrong |
posting this in a couple spring issues on this topic in the hopes it helps others. the best writeup of this problem i've encountered is https://knowledge.broadcom.com/external/article/298108/too-many-transfer-encodings-502-chunked.html. Trigger number 3 in that article was our problem
@Hollerweger 's comment above in #21523 (comment) provides an alternative that avoided this problem for us.
|
I am also affected by the "Trigger number 3" mentioned above. Hoping for another solution rather than refactoring tons of Controller methods. |
Pradeep Gadi opened SPR-16985 and commented
In our Middleware project we forward rest response from another service as it is to angular UI. The response we are getting to the Middleware already having transfer-encoding →chunked header. while returning the same response from our middleware to angular UI spring adding transfer-encoding again. see below response
content-type →application/json;charset=UTF-8
date →Fri, 29 Jun 2018 07:02:06 GMT
transfer-encoding →chunked, chunked
Because of this F5 not able to send the response properly. Spring should not add transfer-encoding If this header already present in the response.
Affects: 5.0.5
Issue Links:
The text was updated successfully, but these errors were encountered: