https://bz.apache.org/bugzilla/show_bug.cgi?id=68970
--- Comment #9 from Joe Orton <jor...@redhat.com> --- Transfer-Encoding is not just any header, it is a header used for HTTP message framing. It has no place in CGI output because the response message body framing used between the CGI script and the application server is "read all bytes to EOF" - per my previous comment. At least for mod_cgi* I think it would be better to return an error if the CGI output contains Transfer-Encoding, rather than produce corrupt output. Blindly trusting that a CGI script produces correct HTTP message framing allows the "desynchronisation attack" called CVE-2024-24795. It would be absurd for mod_cgi* to try to parse CGI output using the complete HTTP/1.1 message framing logic (like removing transfer-codings) because there is no *such requirement for CGI script output*. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
