507523 – GET request includes "Content-Length: 0" header

Bug 507523 - GET request includes "Content-Length: 0" header

Summary: GET request includes "Content-Length: 0" header

Status:	RESOLVED FIXED

Alias:	None

Product:	frameworks-kio
Classification:	Frameworks and Libraries
Component:	HTTP (other bugs)
Version First Reported In:	6.16.0
Platform:	openSUSE Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	KIO Bugs

URL:
Keywords:

Depends on:
Blocks:	507265
	Show dependency tree / graph

Reported:	2025-07-26 19:57 UTC by Robby Stephenson
Modified:	2025-08-15 15:23 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:	https://invent.kde.org/frameworks/kio/-/commit/b9fec2e687bb8f7b885cd010daceb78a13268b17
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Robby Stephenson 2025-07-26 19:57:39 UTC

SUMMARY
Using KIO::storedGet sends an http request which includes the header, "Content-Length: 0". Current RFC says that header shouldn't be sent.

STEPS TO REPRODUCE
Use whatever method you choose to observe the http request headers. One possibility is:
$ kioclient cat https://httpbin.org/headers

OBSERVED RESULT
{
  "headers": {
    "Accept-Encoding": "zstd, br, gzip, deflate", 
    "Accept-Language": "en-US,*", 
    "Content-Length": "0", 
    "Host": "httpbin.org", 
    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) KIO/6.16 kioworker/6.16.0"
  }
}
EXPECTED RESULT
Based on the RFC, the Content-Length header shouldn't be sent. For comparison, curl sends:
$ curl https://httpbin.org/headers
{
  "headers": {
    "Accept": "*/*", 
    "Host": "httpbin.org", 
    "User-Agent": "curl/8.14.1"
  }
}

SOFTWARE/OS VERSIONS
KDE Frameworks Version: 6.16.0
Qt Version: 6.9.1

ADDITIONAL INFORMATION
RFC9110, https://www.rfc-editor.org/rfc/rfc9110.html#name-content-length, says:
> A user agent SHOULD NOT send a Content-Length header field when the request message does not contain content
> and the method semantics do not anticipate such data.
An older one, RFC2616, https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13, is worded differently.
> Any Content-Length greater than or equal to zero is a valid value.
There doesn't seem to be anything that distinguishes method semantics in the older RFC.

Various other reports suggest this could be an issue with some CDNs.
https://github.com/http-kit/http-kit/issues/583
https://github.com/httprb/http/issues/487

Comment 1 Bug Janitor Service 2025-07-27 17:35:29 UTC

A possibly relevant merge request was started @ https://invent.kde.org/frameworks/kio/-/merge_requests/1958

Comment 2 Christoph Cullmann 2025-08-15 15:23:02 UTC

Git commit b9fec2e687bb8f7b885cd010daceb78a13268b17 by Christoph Cullmann, on behalf of Robby Stephenson.
Committed on 15/08/2025 at 15:00.
Pushed by cullmann into branch 'master'.

Avoid "Content-Length: 0" header for empty GET and HEAD requests

The QBuffer pointer eventually gets sent as a QIODevice ptr to
QNetworkAccessManager::sendCustomRequest(...) and Qt then sends a
"Content-Length: 0" header for all requests even if the data itself is
empty. Per RFC9110, "A user agent SHOULD NOT send a Content-Length
header field when the request message does not contain content and the
method semantics do not anticipate such data." Semantically, HTTP_GET
and HTTP_HEAD shouldn't send the header when the data is empty.
Account for the Qt behavior here until behavior is modified.

M  +6    -1    src/kioworkers/http/http.cpp

https://invent.kde.org/frameworks/kio/-/commit/b9fec2e687bb8f7b885cd010daceb78a13268b17