HTTP: can I trust the value of the Content-Length request header?

Question

HTTP: can I trust the value of the Content-Length request header?

I am developing a file download service. I want my users to be limited to the total size of the downloaded files, i.e. They have quotas for uploaded files. Therefore, I want to check the available quota when the user starts to upload a new file. The easiest way is to take the value of the "Content-Length" header of the POST request and check it for the remaining user quota. But I'm worried about whether I can trust the Content-Length value. What to do if a bad guy indicates a small value in the "Content-Length" header and starts downloading a huge file.

Do I have to additionally check while reading from the input stream (and saving the file to disk) or is it redundant (and such a situation should be detected by web servers)?

+4

http file-upload

Shrike Jun 17 '14 at 16:22

source share

1 answer

Steven Liekens · Accepted Answer · 2014-12-10T11:53:44+0000

Short answer: safe

Long answer. Typically, servers should read (at most) as many bytes as indicated in the request header Content-Length. Any bytes that appear after this are expected to mean a completely new request (reusing the same connection).

I would suggest that this requirement is checked on the server, checking that the next few bytes can be parsed as a query string.

request-line = method SP request-target SP HTTP-version CRLF

, , (?) .

(a.k.a. ), , , Content-Length . . : -, , , . , .

HTTP: can I trust the value of the Content-Length request header?

More articles: