CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/06/03 14:00:07
Modified files:
usr.sbin/httpd : http.h server_http.c
Log message:
httpd: reject CL.TE request framing
RFC 9112 sections 6.1 and 6.3 identify a request containing both
Transfer-Encoding and Content-Length as ambiguous request smuggling
input. httpd is the origin server, not an intermediary, so it should not
rewrite the message and continue processing it.
Reject chunked requests that also carry Content-Length before method
specific body handling or FastCGI parameter generation; this avoids
exposing inconsistent framing metadata to applications.
Reproted by: Stuart Thomas
OK: rsaodwski@
