This repository has been archived by the owner on Dec 18, 2018. It is now read-only.
Reject upgrade requests that also have content-length specified #1570
Comments
|
We should try out a few servers to see what their behavior is here. |
|
@natemcmaster please ping @halter73 for context on this issue. |
natemcmaster
changed the title
|
Discussed with team. Let's leave this for 2.0. Doesn't seem urgent enough for a 1.1.x patch. As noted aspnet/Security#1121, this bug only appears when the client is sending an unusual combination of Upgrade and Content-Length. |
This was referenced Apr 17, 2017
natemcmaster
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
aspnet/Security#1121 (comment) for explanation and context.
1.0.x behavior:
https://github.com/aspnet/KestrelHttpServer/blob/rel/1.0.3/src/Microsoft.AspNetCore.Server.Kestrel/Internal/Http/MessageBody.cs#L130
1.1.x behavior:
https://github.com/aspnet/KestrelHttpServer/blob/rel/1.1.1/src/Microsoft.AspNetCore.Server.Kestrel/Internal/Http/MessageBody.cs#L245
Let's argue whether this is a regression fix or a breaking change 😄 But we're likely to see more people having issues like the one above.
It doesn't help that nginx's own guidance is to force the
Connection: upgradeheader:http://nginx.org/en/docs/http/websocket.html
I don't know why that's the case since just forwarding the client's
Connectionheader using the$http_Connectionvariable seems more reasonable than that.cc @muratg @Eilon @davidfowl
The text was updated successfully, but these errors were encountered: