Handle duplicate Content-Length headers per RFC 7230 §3.3.2

sferik · sferik · commit abcbe0c442b1 · 2026-03-11T18:47:02.000-07:00
When a server sends duplicate Content-Length headers with identical values, collapse them into a single value instead of returning nil. When values conflict, return nil (reject as invalid). Previously, duplicate headers caused either a TypeError or silently returned nil even for valid identical duplicates. Closes #566.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- `Response#content_length` now handles duplicate `Content-Length` headers per
+  RFC 7230 Section 3.3.2. When all values are identical, they are collapsed into
+  a single valid value. When values conflict, `nil` is returned instead of
+  raising `TypeError`. ([#566])
 - HTTP 1xx informational responses (e.g. `100 Continue`) are now transparently
   skipped, returning the final response. This was a regression introduced when
   the parser was migrated from http-parser to llhttp. ([#667])
diff --git a/lib/http/response.rb b/lib/http/response.rb
@@ -220,10 +220,12 @@ def content_length
       # and a Content-Length header field, the Transfer-Encoding overrides the Content-Length.
       return nil if @headers.include?(Headers::TRANSFER_ENCODING)
 
-      value = @headers[Headers::CONTENT_LENGTH]
-      return nil unless value
+      # RFC 7230 Section 3.3.2: If multiple Content-Length values are present,
+      # they must all be identical; otherwise treat as invalid.
+      values = @headers.get(Headers::CONTENT_LENGTH).uniq
+      return nil unless values.one?
 
-      Integer(value, exception: false)
+      Integer(values.first, exception: false)
     end
 
     # Parsed Content-Type header
diff --git a/test/http/response_test.rb b/test/http/response_test.rb
@@ -120,6 +120,32 @@
       end
     end
 
+    context "with duplicate identical Content-Length" do
+      let(:headers) do
+        h = HTTP::Headers.new
+        h.add("Content-Length", "5")
+        h.add("Content-Length", "5")
+        h
+      end
+
+      it "returns the deduplicated value" do
+        assert_equal 5, response.content_length
+      end
+    end
+
+    context "with conflicting Content-Length values" do
+      let(:headers) do
+        h = HTTP::Headers.new
+        h.add("Content-Length", "5")
+        h.add("Content-Length", "10")
+        h
+      end
+
+      it "returns nil" do
+        assert_nil response.content_length
+      end
+    end
+
     context "with Transfer-Encoding header" do
       let(:headers) { { "Transfer-Encoding" => "chunked", "Content-Length" => "5" } }
 
