You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If the response has content-length but not content-encoding, Bandit will go ahead to compress the response body, but leak the original uncompressed content-length. This results in client seeing the response as truncated.
If the response has content-encoding as gzip already, Bandit seems to do a second compression.
Ideally, Bandit should detect the presence of content-encoding in the response header, and skip compression if it is present. When there is no content-encoding in the headers, Bandit should remove the old content-length header, if any, and replace it with the compressed content-length.
Cowboy does it. As of now, I have to disable compression globally, which is sub-optimal.
The text was updated successfully, but these errors were encountered:
derek-zhou
changed the title
content-encoding negotiation should be disabled when the response headers already contains content-encoding/content-length
content-encoding negotiation should be disabled when the response headers already contain content-encoding
May 22, 2023
Yep, agreed that this should be better handled as you suggest. I'm also having to be more aware of the returned headers (specifically Connection: close) for the issue underlying #149, so I'll make sure to fold both of these into a consolidated solution coming the next release (a few days away, I think).
If the response has
content-length
but notcontent-encoding
, Bandit will go ahead to compress the response body, but leak the original uncompressedcontent-length
. This results in client seeing the response as truncated.If the response has
content-encoding
as gzip already, Bandit seems to do a second compression.Ideally, Bandit should detect the presence of
content-encoding
in the response header, and skip compression if it is present. When there is nocontent-encoding
in the headers, Bandit should remove the oldcontent-length
header, if any, and replace it with the compressedcontent-length
.According to:
https://ninenines.eu/docs/en/cowboy/2.6/manual/cowboy_compress_h/
Cowboy does it. As of now, I have to disable compression globally, which is sub-optimal.
The text was updated successfully, but these errors were encountered: