47e48027480228e4e32a0b4df39db497b4804921
88%

Ran 02 Jun 2026 09:52AM UTC

Jobs 1

Files 20

Run time 1min

Badge

Embed ▾

Committed 02 Jun 2026 09:49AM UTC coverage: 88.114% (+0.02%) from 88.098%

Build # 47e48027480228e4e32a0b4df39db497b4804921

Build Type

push

github

Committed by

web-flow

Commit Message

Merge commit from fork

`Mint.HTTP1.Parse.content_length_header/1` parsed the header value with
`Integer.parse/1`, which accepts an optional `+`/`-` sign prefix. The
`length >= 0` guard rejected negatives but let values like `+0` or `+123`
through, returning them as valid lengths.

RFC 7230 defines `Content-Length = 1*DIGIT`, with no sign permitted. On a
connection shared with a strict fronting proxy this parser disagreement is a
response-smuggling primitive: the proxy frames the body one way and Mint
another.

Validate that the trimmed value is one or more digits before converting it,
so signs, embedded whitespace, or any non-digit byte are rejected with
`:invalid_content_length_header`.

Fixes GHSA-mjqx-c6f6-7rc2.

Coverage Stats

5 of 5 new or added lines in 1 file covered. (100.0%)

1364 of 1548 relevant lines covered (88.11%)

242.35 hits per line

Jobs

ID	Job ID	Ran	Files	Coverage
1	47e48027480228e4e32a0b4df39db497b4804921.1	02 Jun 2026 09:52AM UTC	20	88.11	GitHub Action Run

elixir-mint / mint / 47e48027480228e4e32a0b4df39db497b4804921
88%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 47e48027480228e4e32a0b4df39db497b4804921

elixir-mint / mint / 47e48027480228e4e32a0b4df39db497b4804921 88%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 47e48027480228e4e32a0b4df39db497b4804921

elixir-mint / mint / 47e48027480228e4e32a0b4df39db497b4804921
88%

README BADGES
x