Skip to content

security bug fix: Fix malformed Content-Encoding header in json-status upload#2

Open
billmcilhargey wants to merge 1 commit into
ADSBexchange:masterfrom
blackoutsecure:patch-1
Open

security bug fix: Fix malformed Content-Encoding header in json-status upload#2
billmcilhargey wants to merge 1 commit into
ADSBexchange:masterfrom
blackoutsecure:patch-1

Conversation

@billmcilhargey
Copy link
Copy Markdown

@billmcilhargey billmcilhargey commented May 3, 2026

Summary

Fixes a malformed HTTP header in the json-status upload path. The curl POST was sending Content_Encoding: gzip (underscore) instead of the RFC-compliant Content-Encoding: gzip (hyphen).

Problem

Per RFC 7230 § 3.2, HTTP header field names must use hyphens. While many servers tolerate underscores via fallback parsing, hardened gateways silently drop them — most notably nginx, which defaults to underscores_in_headers off.

When the header is dropped:

  • The gzipped body is delivered without the Content-Encoding flag.
  • The server treats the payload as raw bytes and may attempt to gunzip data it doesn't know is compressed (or skip decompression entirely), causing the upload to fail or be misinterpreted.

Fix

Single-character change in json-status (line ~362):

- -H "Content_Encoding: gzip"
+ -H "Content-Encoding: gzip"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@billmcilhargey