From 840e2417babcffa5082e6ab3621aa64761ffa873 Mon Sep 17 00:00:00 2001
From: Arturo Bernal <abernal@apache.org>
Date: Fri, 20 Feb 2026 08:15:22 +0100
Subject: [PATCH] httpcore5: Reject entities in 1xx and 205 responses
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

RFC 9110 requires that 1xx responses “cannot contain content or trailers”
and that 205 responses MUST NOT generate content.
---
 .../http/protocol/ResponseConformance.java    | 13 ++++++-----
 .../protocol/TestStandardInterceptors.java    | 23 +++++++++++++++++++
 2 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/httpcore5/src/main/java/org/apache/hc/core5/http/protocol/ResponseConformance.java b/httpcore5/src/main/java/org/apache/hc/core5/http/protocol/ResponseConformance.java
index f0d3b5168c..5fb7b9cbbc 100644
--- a/httpcore5/src/main/java/org/apache/hc/core5/http/protocol/ResponseConformance.java
+++ b/httpcore5/src/main/java/org/apache/hc/core5/http/protocol/ResponseConformance.java
@@ -63,12 +63,13 @@ public void process(final HttpResponse response, final EntityDetails entity, fin
             throws HttpException, IOException {
         Args.notNull(response, "HTTP response");
         final int status = response.getCode();
-        switch (status) {
-            case HttpStatus.SC_NO_CONTENT:
-            case HttpStatus.SC_NOT_MODIFIED:
-                if (entity != null) {
-                    throw new ProtocolException("Response " + status + " must not enclose an entity");
-                }
+        if (status >= 100 && status < 200
+                || status == HttpStatus.SC_NO_CONTENT
+                || status == HttpStatus.SC_RESET_CONTENT
+                || status == HttpStatus.SC_NOT_MODIFIED) {
+            if (entity != null) {
+                throw new ProtocolException("Response " + status + " must not enclose an entity");
+            }
         }
     }
 
diff --git a/httpcore5/src/test/java/org/apache/hc/core5/http/protocol/TestStandardInterceptors.java b/httpcore5/src/test/java/org/apache/hc/core5/http/protocol/TestStandardInterceptors.java
index d0c3d4104b..994bb9b4ad 100644
--- a/httpcore5/src/test/java/org/apache/hc/core5/http/protocol/TestStandardInterceptors.java
+++ b/httpcore5/src/test/java/org/apache/hc/core5/http/protocol/TestStandardInterceptors.java
@@ -1159,5 +1159,28 @@ void testInvalidDateReplaced() throws Exception {
         Assertions.assertNotEquals("Invalid Date", newDateHeader.getValue());
     }
 
+    @Test
+    void testResponseConformanceInformationalWithEntity() {
+        final HttpCoreContext context = HttpCoreContext.create();
+        final ClassicHttpResponse response = new BasicClassicHttpResponse(HttpStatus.SC_CONTINUE, "Continue");
+        response.setEntity(new StringEntity("stuff", StandardCharsets.US_ASCII));
+
+        final ResponseConformance interceptor = new ResponseConformance();
+        Assertions.assertThrows(ProtocolException.class, () ->
+                interceptor.process(response, response.getEntity(), context));
+    }
+
+    @Test
+    void testResponseConformanceResetContentWithEntity() {
+        final HttpCoreContext context = HttpCoreContext.create();
+        final ClassicHttpResponse response = new BasicClassicHttpResponse(HttpStatus.SC_RESET_CONTENT, "Reset Content");
+        response.setEntity(new StringEntity("stuff", StandardCharsets.US_ASCII));
+
+        final ResponseConformance interceptor = new ResponseConformance();
+        Assertions.assertThrows(ProtocolException.class, () ->
+                interceptor.process(response, response.getEntity(), context));
+    }
+
+
 
 }