Thanks to visit codestin.com
Credit goes to github.com

Skip to content
This repository was archived by the owner on Dec 18, 2018. It is now read-only.
This repository was archived by the owner on Dec 18, 2018. It is now read-only.

Reject upgrade requests that also have content-length specified #1570

Closed
Closed
Reject upgrade requests that also have content-length specified#1570
Assignees
natemcmaster
Labels
3 - Donebug
Milestone
2.0.0-preview1
@cesarblum

Description

@cesarblum
cesarblum
opened on Mar 29, 2017

aspnet/Security#1121 (comment) for explanation and context.

1.0.x behavior:

https://github.com/aspnet/KestrelHttpServer/blob/rel/1.0.3/src/Microsoft.AspNetCore.Server.Kestrel/Internal/Http/MessageBody.cs#L130

1.1.x behavior:

https://github.com/aspnet/KestrelHttpServer/blob/rel/1.1.1/src/Microsoft.AspNetCore.Server.Kestrel/Internal/Http/MessageBody.cs#L245

Let's argue whether this is a regression fix or a breaking change 😄 But we're likely to see more people having issues like the one above.

It doesn't help that nginx's own guidance is to force the Connection: upgrade header:

http://nginx.org/en/docs/http/websocket.html

I don't know why that's the case since just forwarding the client's Connection header using the $http_Connection variable seems more reasonable than that.

cc @muratg @Eilon @davidfowl

Metadata

Metadata

Assignees

Labels

3 - Donebug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions