From: szweep <szweep@gmail.com>
Date: Fri, 23 Oct 2015 14:24:35 +0000 (-0400)
Subject: Check for Content-Length and Transfer-Encoding
X-Git-Tag: v4.3.0b2~5^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e83251146d171515674357e4450f2f18e320a8e4;p=thirdparty%2Ftornado.git

Check for Content-Length and Transfer-Encoding

If an HTTP response contains both Content-Length and
Transfer-Encoding headers, flag this as an error as
per RFC 7230, Section 3.3.3#3. Also added a unit test
to validate the code.
---

diff --git a/tornado/http1connection.py b/tornado/http1connection.py
index c9eb2ad4c..1c577063b 100644
--- a/tornado/http1connection.py
+++ b/tornado/http1connection.py
@@ -515,6 +515,12 @@ class HTTP1Connection(httputil.HTTPConnection):
 
     def _read_body(self, code, headers, delegate):
         if "Content-Length" in headers:
+            if "Transfer-Encoding" in headers:
+                # Response cannot contain both Content-Length and
+                # Transfer-Encoding headers.
+                # http://tools.ietf.org/html/rfc7230#section-3.3.3
+                raise httputil.HTTPInputError(
+                    "Response with both Transfer-Encoding and Content-Length")
             if "," in headers["Content-Length"]:
                 # Proxies sometimes cause Content-Length headers to get
                 # duplicated.  If all the values are identical then we can
diff --git a/tornado/test/simple_httpclient_test.py b/tornado/test/simple_httpclient_test.py
index b6687a298..90394ec2f 100644
--- a/tornado/test/simple_httpclient_test.py
+++ b/tornado/test/simple_httpclient_test.py
@@ -735,3 +735,22 @@ class MaxBufferSizeTest(AsyncHTTPTestCase):
         response = self.fetch('/large')
         response.rethrow()
         self.assertEqual(response.body, b'a' * 1024 * 100)
+
+
+class ChunkedWithContentLengthTest(AsyncHTTPTestCase):
+    def get_app(self):
+
+        class ChunkedWithContentLength(RequestHandler):
+            def get(self):
+                # Add an invalid Transfer-Encoding to the response
+                self.set_header('Transfer-Encoding', 'chunked')
+                self.write("Hello world")
+
+        return Application([('/chunkwithcl', ChunkedWithContentLength)])
+
+    def test_chunked_with_content_length(self):
+        # Make sure the invalid headers are detected
+        with ExpectLog(gen_log, ("Malformed HTTP message from None: Response "
+                       "with both Transfer-Encoding and Content-Length")):
+            response = self.fetch('/chunkwithcl')
+        self.assertEqual(response.code, 599)