On Sun, Jan 18, 2026 at 08:49:04PM +0000, Ben Kallus wrote: > Haven't reviewed, this, but wanted to chime in with a correction: > > > A quoted-string continues until the closing DQUOTE, even if it contains > `\r\n` sequences. > > This isn't true. An RFC-compliant parser should reject \r\n within a > chunk-ext and respond 400. Go look at the definitions of qdtext and > quoted-pair; neither one allows CR or LF. > > If nginx indeed behaves the way you claim, this is also a bug in nginx.
It's very likely that both haproxy and nginx are both slightly too lax in a different direction, making the issue work with both together. In any case we should definitely reject such extensions. We'll review that in detail tomorrow morning. Thanks, willy
