CVE-2024-41110: Go Http Content Length Gate Without Chunked Check
An *http.Request body read/forward is gated only on `ContentLength > 0`, without also accepting chunked Transfer-Encoding. RFC 7230 specifies that Content-Length is ignored when Transfer-Encoding: chunked is set, and Go's net/http reports `r.ContentLength == -1` for chunked requests. A client can therefore smuggle a body past this gate by sending a chunked r
greprules fetch cve-2024-41110-go-http-content-length-gate-without-chunked-check --engine opengrepDescription
An *http.Request body read/forward is gated only on `ContentLength > 0`, without also accepting chunked Transfer-Encoding. RFC 7230 specifies that Content-Length is ignored when Transfer-Encoding: chunked is set, and Go's net/http reports `r.ContentLength == -1` for chunked requests. A client can therefore smuggle a body past this gate by sending a chunked r
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.