ModSecurity IIS module add content-length when chunked transfer encoding is enabled

[maverick64]

Setup:
Modsecurity + Application Request Routing(ARR) + IIS

ModSecurity is adding content length header even when chunked encoding is enabled. According to RFC (https://www.ietf.org/rfc/rfc2616.txt)
"Messages MUST NOT include both a Content-Length header field and a
non-identity transfer-coding. If the message does include a non-
identity transfer-coding, the Content-Length MUST be ignored."

It is violating the first line of the above and ARR fails it down the pipeline.
The code is in:
iis/mymodule.cpp

apr_status_t WriteBodyCallback(request_rec *r, char *buf, unsigned int length)
{

CHAR szLength[21]; //Max length for a 64 bit int is 20

ZeroMemory(szLength, sizeof(szLength));

HRESULT hr = StringCchPrintfA(
        szLength, 
        sizeof(szLength) / sizeof(CHAR) - 1, "%d", 
        length);

if(FAILED(hr))
{
	// not possible
}

hr = pHttpRequest->SetHeader(
        HttpHeaderContentLength, 
        szLength, 
        (USHORT)strlen(szLength),
        TRUE);

Was this SetHeader Content-lenght intentional?

[victorhora]

Hi @maverick64

Yes, It seems like this was on purpose. See mymodule.cpp#L625-L627

// If there's no content-length set, we need to set it to avoid chunked transfer mode
// We can only do it if there is it's the only response to be sent.

Processing of chunked might not be completely implemented / handled by the IIS module. See: mymodule.cpp#L450-L452

[victorhora]

It seems like this commit from Microsoft / @allanbomsft does a workaround on this behaviour on IIS: 2bf0300