On Sun, Jan 18, 2026 at 09:52:15PM +0100, Willy Tarreau wrote: > On Sun, Jan 18, 2026 at 08:49:04PM +0000, Ben Kallus wrote: > > Haven't reviewed, this, but wanted to chime in with a correction: > > > > > A quoted-string continues until the closing DQUOTE, even if it contains > > `\r\n` sequences. > > > > This isn't true. An RFC-compliant parser should reject \r\n within a > > chunk-ext and respond 400. Go look at the definitions of qdtext and > > quoted-pair; neither one allows CR or LF. > > > > If nginx indeed behaves the way you claim, this is also a bug in nginx. > > It's very likely that both haproxy and nginx are both slightly too lax > in a different direction, making the issue work with both together. In > any case we should definitely reject such extensions. We'll review that > in detail tomorrow morning.
In fact it's more ambiguous, because 7230 already used to say: A recipient MUST ignore unrecognized chunk extensions which is in contradiction with parsing and verifying them. And I think that by now, many implementations just ignore them without validating them. Implementing a validation would require adding quite a bit of dedicated code. We'll see what can reasonably be done anyway. Willy
