AsyncRead + !AsyncSeek sized response body?

[dnbln]

Hello! I have a body type that is AsyncRead + !AsyncSeek, but I also have its size ahead-of-time. Is there a way to create a Response with a sized body from it? Looking at the source, it seems possible only if it implements AsyncSeek, but my use case is a tokio::process::ChildStdout (CGI script response), and that doesn't implement AsyncSeek.

[SergioBenitez]

No, it is not possible as this would allow for trivially creating "sized" bodies with sizes that don't correspond to the actual body size, confusing clients, violating the HTTP spec, and potentially causing all sorts of security issues. From RFC9110:

Because Content-Length is used for message delimitation in HTTP/1.1, its field value can impact how the message is parsed by downstream recipients even when the immediate connection is not using HTTP/1.1. If the message is forwarded by a downstream intermediary, a Content-Length field value that is inconsistent with the received message framing might cause a security failure due to request smuggling or response splitting.

As a result, a sender MUST NOT forward a message with a Content-Length header field value that is known to be incorrect.

I am not certain how you could know the size of your stream in advance, unless you control the CGI script and you account for all possible faults. But if you do happen to know, and the size is small enough, then you may want to read into a Vec if you really want a Content-Length sent. Otherwise, not setting the size is unlikely to cause issues.