From e292a2b5198e7174d24858ca5b54872bb3702d12 Mon Sep 17 00:00:00 2001
From: Rob Ede <robjtede@icloud.com>
Date: Mon, 27 Jun 2022 04:18:34 +0100
Subject: [PATCH] disallow HTTP/1.0 requests without a CL header

---
 actix-http/src/h1/decoder.rs | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/actix-http/src/h1/decoder.rs b/actix-http/src/h1/decoder.rs
index 44c4b8b82..27bec1a0f 100644
--- a/actix-http/src/h1/decoder.rs
+++ b/actix-http/src/h1/decoder.rs
@@ -185,6 +185,13 @@ pub(crate) trait MessageType: Sized {
             content_length = None;
         }
 
+        // disallow HTTP/1.0 request that do not contain a Content-Length headers
+        // see https://datatracker.ietf.org/doc/html/rfc1945#section-7.2.2
+        if version == Version::HTTP_10 && content_length.is_none() {
+            debug!("no Content-Length specified for HTTP/1.0 request");
+            return Err(ParseError::Header);
+        }
+
         // https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3
         if chunked {
             // Chunked encoding