Merge commit from fork

Author: mtrudel

lib/bandit/headers.ex

@@ -49,9 +49,11 @@ defmodule Bandit.Headers do
   @spec get_content_length(Plug.Conn.headers()) ::
           {:ok, nil | non_neg_integer()} | {:error, String.t()}
   def get_content_length(headers) do
-    case get_header(headers, "content-length") do
-      nil -> {:ok, nil}
-      value -> parse_content_length(value)
+    # We need to special case this because we don't accept multiple content-length headers
+    case Enum.filter(headers, &(elem(&1, 0) == "content-length")) do
+      [] -> {:ok, nil}
+      [{"content-length", value}] -> parse_content_length(value)
+      _ -> {:error, "invalid content-length header (RFC9112§6.3)"}
     end
   end
 

test/bandit/http1/protocol_test.exs

@@ -828,6 +828,26 @@ defmodule HTTP1ProtocolTest do
       send_resp(conn, 200, "OK")
     end
 
+    # Error case for content-length as defined in https://www.rfc-editor.org/rfc/rfc9112.html#section-6.3-2.5
+    @tag :capture_log
+    test "rejects a request with multiple separate content length headers, even if identical",
+         context do
+      # Use a smaller body size to avoid raciness in reading the response
+      response =
+        Req.post!(context.req,
+          url: "/expect_body_with_multiple_content_length",
+          headers: [{"content-length", "8000"}, {"content-length", "8000"}],
+          body: String.duplicate("a", 8_000)
+        )
+
+      assert response.status == 400
+
+      assert_receive {:log, %{level: :error, msg: {:string, msg}}}, 500
+
+      assert msg ==
+               "** (Bandit.HTTPError) Content length unknown error: \"invalid content-length header (RFC9112§6.3)\""
+    end
+
     # Error case for content-length as defined in https://www.rfc-editor.org/rfc/rfc9112.html#section-6.3-2.5
     @tag :capture_log
     test "rejects a request with non-matching multiple content lengths", context do