On 8/16/23 1:32 PM, Eric Covener wrote:
>>> So a few questions:
>>>
>>> - Is it reasonable as a standalone additional HTTPProtocolOption to
>>> decide the behavior?
>>> - Thoughts on behavior change in 2.4.x?
>>> - 400 as a status code?
>>>
>>> https://httpwg.org/specs/rfc9112.html#rfc.section.6.1.p.15
>>>
>>> A server MAY reject a request that contains both Content-Length and
>>> Transfer-Encoding or process such a request in accordance with the
>>> Transfer-Encoding alone. Regardless, the server MUST close the
>>> connection after responding to such a request to avoid the potential
>>> attacks.
>>
>> We currently ignore the content-length header, proceed and close the
>> connection
>> afterwards as suggested above. Do you suggest that we should reject such
>> requests
>> based on a configuration setting?
>
> Yes, reject when both are set.
>
Sounds fine for me as long as we don't make it the default, at least not in 2.4
Regards
RĂ¼diger
