Hello, I've a patch proposal in this ticket : https://bz.apache.org/bugzilla/show_bug.cgi?id=57832
The goal is to make mod_proxy conformant to this part of rfc 7320 about the good way of preventing effects of backends compromised by http splitting/http smuggling attacks. > rfc 7320: > If the final response to the last request on a connection has been > completely received and there remains additional data to read, a user > agent MAY discard the remaining data or attempt to determine if that > data belongs as part of the prior response body, which might be the > case if the prior message's Content-Length value is incorrect. A > client MUST NOT process, cache, or forward such extra data as a > separate response, since such behavior would be vulnerable to cache > poisoning. Currently when mod_proxy receive a response from a backend consisting of more than one response, the extra-responses are stored and reused later when another request use the same backend connection. Which is quite annoying. If you take Nginx, for example, the behavior is to send the extra responses directly to the request doing the first query, which is also wrong but less annoying because usually the first query is the one transmitting the splitting attack. Others agents are able to discard the content (Varnish, haproxy, etc.). More details in the tickets. I'm open to discussions about the right way to fix that behavior, but I think the current patch is almost good. -- Régis Leroy [regilero]
