Bug Report
Version
tower-http v0.2.1
Platform
Debian Linux 12 (“bookworm”)
Linux feynman 5.15.0-3-amd64 #1 SMP Debian 5.15.15-1 (2022-01-18) x86_64 GNU/Linux
rustc 1.58.1 (db9d1b20b 2022-01-20)
Description
When using CompressionLayer, the accept-encoding header sent by the client is not parsed correctly (i.e., according to RFC 7231, sections 5.3.1 and 5.3.4). The following program demonstrates the issues (using axum v0.4.5):
use axum::{routing::get, Router};
use tower_http::compression::{predicate::SizeAbove, CompressionLayer};
#[tokio::main]
async fn main() {
let app = Router::new()
.route("/", get(|| async { "" }))
.layer(CompressionLayer::new().compress_when(SizeAbove::new(0)));
axum::Server::bind(&"0.0.0.0:3000".parse().unwrap())
.serve(app.into_make_service())
.await
.unwrap();
}Case 1: Uppercase encodings and qvalues are not parsed (fixed by #220)
Encodings and qvalues are case-insensitive, i.e. the server should understand them whether they are lowercase, uppercase, or a mixture of both.
| Command |
Expected Encoding |
Observed Encoding |
curl -I -H 'accept-encoding: GZIP' http://127.0.0.1:3000/ |
gzip |
(none) |
curl -I -H 'accept-encoding: gZiP' http://127.0.0.1:3000/ |
gzip |
(none) |
curl -I -H 'accept-encoding: gzip;q=0.5, br;Q=0.8' http://127.0.0.1:3000/ |
br |
gzip |
Case 2: Spaces before and after semicolon are not parsed (fixed by #220)
Space and horizontal tab characters are allowed before and after the semicolon separating the encoding from the qvalue.
| Command |
Expected Encoding |
Observed Encoding |
curl -I -H 'accept-encoding: gzip;q=0.5, br; q=0.8' http://127.0.0.1:3000/ |
br |
gzip |
curl -I -H 'accept-encoding: gzip;q=0.5, br ;q=0.8' http://127.0.0.1:3000/ |
br |
gzip |
curl -I -H 'accept-encoding: gzip;q=0.5, br ; q=0.8' http://127.0.0.1:3000/ |
br |
gzip |
Case 3: Invalid qvalues are accepted (fixed by #220)
Qvalues are expected to have exactly 1 digit before and not more than 3 digits after the decimal point.
| Command |
Expected Encoding |
Observed Encoding |
Explanation |
curl -I -H 'accept-encoding: gzip;q=00.5' http://127.0.0.1:3000/ |
gzip |
(none) |
More than 1 digit before decimal point |
curl -I -H 'accept-encoding: gzip;q=0.5000' http://127.0.0.1:3000/ |
gzip |
(none) |
More than 3 digits after decimal point |
curl -I -H 'accept-encoding: gzip;q=.5' http://127.0.0.1:3000/ |
gzip |
(none) |
Missing digit before decimal point |
Case 4: Request not rejected if client rejects identity encoding
If the client explicitly rejects the identity encoding or the wildcard encoding *, and accepts no encodings supported by the server, the request should be rejected.
| Command |
Expected HTTP Status Code |
Observed HTTP Status Code |
curl -I -H 'accept-encoding: identity;q=0' http://127.0.0.1:3000/ |
406 Not Acceptable |
200 OK |
curl -I -H 'accept-encoding: *;q=0' http://127.0.0.1:3000/ |
406 Not Acceptable |
200 OK |
Bug Report
Version
tower-http v0.2.1
Platform
Debian Linux 12 (“bookworm”)
Linux feynman 5.15.0-3-amd64 #1 SMP Debian 5.15.15-1 (2022-01-18) x86_64 GNU/Linux
rustc 1.58.1 (db9d1b20b 2022-01-20)
Description
When using
CompressionLayer, theaccept-encodingheader sent by the client is not parsed correctly (i.e., according to RFC 7231, sections 5.3.1 and 5.3.4). The following program demonstrates the issues (using axum v0.4.5):Case 1: Uppercase encodings and qvalues are not parsed (fixed by #220)
Encodings and qvalues are case-insensitive, i.e. the server should understand them whether they are lowercase, uppercase, or a mixture of both.
curl -I -H 'accept-encoding: GZIP' http://127.0.0.1:3000/curl -I -H 'accept-encoding: gZiP' http://127.0.0.1:3000/curl -I -H 'accept-encoding: gzip;q=0.5, br;Q=0.8' http://127.0.0.1:3000/Case 2: Spaces before and after semicolon are not parsed (fixed by #220)
Space and horizontal tab characters are allowed before and after the semicolon separating the encoding from the qvalue.
curl -I -H 'accept-encoding: gzip;q=0.5, br; q=0.8' http://127.0.0.1:3000/curl -I -H 'accept-encoding: gzip;q=0.5, br ;q=0.8' http://127.0.0.1:3000/curl -I -H 'accept-encoding: gzip;q=0.5, br ; q=0.8' http://127.0.0.1:3000/Case 3: Invalid qvalues are accepted (fixed by #220)
Qvalues are expected to have exactly 1 digit before and not more than 3 digits after the decimal point.
curl -I -H 'accept-encoding: gzip;q=00.5' http://127.0.0.1:3000/curl -I -H 'accept-encoding: gzip;q=0.5000' http://127.0.0.1:3000/curl -I -H 'accept-encoding: gzip;q=.5' http://127.0.0.1:3000/Case 4: Request not rejected if client rejects identity encoding
If the client explicitly rejects the identity encoding or the wildcard encoding
*, and accepts no encodings supported by the server, the request should be rejected.curl -I -H 'accept-encoding: identity;q=0' http://127.0.0.1:3000/curl -I -H 'accept-encoding: *;q=0' http://127.0.0.1:3000/