- my $input;
- my $len = $env->{CONTENT_LENGTH};
- if ($len) {
- if ($len > $MAX_REQUEST_BUFFER) {
- quit($self, 413);
- return;
- }
- open($input, '+>', undef);
- } elsif (env_chunked($env)) {
+ my ($input, $len);
+
+ # rfc 7230 3.3.2, 3.3.3,: favor Transfer-Encoding over Content-Length
+ my $hte = $env->{HTTP_TRANSFER_ENCODING};
+ if (defined $hte) {
+ # rfc7230 3.3.3, point 3 says only chunked is accepted
+ # as the final encoding. Since neither public-inbox-httpd,
+ # git-http-backend, or our WWW-related code uses "gzip",
+ # "deflate" or "compress" as the Transfer-Encoding, we'll
+ # reject them:
+ return quit($self, 400) if $hte !~ /\Achunked\z/i;
+