@@ -659,28 +659,37 @@ function _M.send_request(self, params)
659659 headers [" Proxy-Authorization" = self .http_proxy_auth
660660 end
661661
662- -- Ensure minimal headers are set
662+ -- Ensure we have appropriate message length or encoding.
663+ do
664+ local is_chunked = transfer_encoding_is_chunked (headers )
665+
666+ if is_chunked then
667+ -- If we have both Transfer-Encoding and Content-Length we MUST
668+ -- drop the Content-Length, to help prevent request smuggling.
669+ -- https://tools.ietf.org/html/rfc7230#section-3.3.3
670+ headers [" Content-Length" = nil
663671
664- if not headers [" Content-Length" then
665- local body_type = type ( body )
672+ elseif not headers [" Content-Length" then
673+ -- A length was not given, try to calculate one.
666674
667- if body_type == " function" then
668- if not transfer_encoding_is_chunked (headers ) then
675+ local body_type = type (body )
676+
677+ if body_type == " function" then
669678 return nil , " Request body is a function but a length or chunked encoding is not specified"
670- end
671679
672- elseif body_type == " table" then
673- local length = 0
674- for _ , v in ipairs (body ) do
675- length = length + # tostring (v )
676- end
677- headers [" Content-Length" = length
680+ elseif body_type == " table" then
681+ local length = 0
682+ for _ , v in ipairs (body ) do
683+ length = length + # tostring (v )
684+ end
685+ headers [" Content-Length" = length
678686
679- elseif body == nil and EXPECTING_BODY [str_upper (params .method )] then
680- headers [" Content-Length" = 0
687+ elseif body == nil and EXPECTING_BODY [str_upper (params .method )] then
688+ headers [" Content-Length" = 0
681689
682- elseif body ~= nil then
683- headers [" Content-Length" = # tostring (body )
690+ elseif body ~= nil then
691+ headers [" Content-Length" = # tostring (body )
692+ end
684693 end
685694 end
686695
0 commit comments