Description
We have some users attempting to POST where the content length is -1.
POST /services/rest HTTP/1.1\r\n
Host: api.flickr.com\r\n
Accept: /\r\n
Content-Length: -1\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Expect: 100-continue\r\n
ATS goes ahead with this request and connects to the origin and passes the invalid content length.
Preferable, and consistent with the spec, ATS should immediately respond to the client with an error.
RFC-2616 Section 14.13 says 'Any Content-Length greater than or equal to zero is a valid value.' I interpret that as a negative content length value is invalid.
I propose that ATS respond with a '400 Invalid Request' for PUT/POST/PUSH requests when the user provided content-length is less than 0.