Hi, at $bigco I am seeing more and more scanners reporting HTTP request smuggling but the byte stream is really just two pipelined requests. They are costly to debunk.
So a few questions: - Is it reasonable as a standalone additional HTTPProtocolOption to decide the behavior? - Thoughts on behavior change in 2.4.x? - 400 as a status code? https://httpwg.org/specs/rfc9112.html#rfc.section.6.1.p.15 A server MAY reject a request that contains both Content-Length and Transfer-Encoding or process such a request in accordance with the Transfer-Encoding alone. Regardless, the server MUST close the connection after responding to such a request to avoid the potential attacks. (this is in ap_read_request()) -- Eric Covener cove...@gmail.com
