RFC 9112 sections 6.1 and 6.3 identify a request containing both Transfer-Encoding and Content-Length as ambiguous request smuggling input. httpd is the origin server, not an intermediary, so it should not rewrite the message and continue processing it. Reject chunked requests that also carry Content-Length before method specific body handling or FastCGI parameter generation; this avoids exposing inconsistent framing metadata to applications. Reproted by: Stuart Thomas OK: rsaodwski@

Replace silent kv_extend normalisation with an unconditional 400. RFC 9112 5.2 explicitly permits rejection; it is the safer choice over SP replacement, which hides parser ambiguity downstream. Reported by Stuart Thomas, OK kirill@

The current code is broken so rework server_read_httpchunks() to properly implement chunked transfer-encoding. Chunked uploads only matter for fastcgi handlers, so adjust them to operate with chunked uploads. The problem is that the CGI spec mandates that CONTENT_LENGTH is set but for chunked transfers the content-length header is actually not allowed. Both fastcgi and cgi don't really need CONTENT_LENGTH since the data is passed via FCGI_STDIN messages or a pipe and in both cases EOF can be signaled just fine. Still some cgi/fastcgi handlers depend on the presence of CONTENT_LENGTH and so those fail to process such chunked uploads. For this reason add a config option to opt-in for chunked uploads but by default any upload with transfer-encoding chunked will result in a HTTP 400 error. OK kirill@ rsadowski@

Teach httpd to advertise static file revalidation by default with Cache-Control: no-cache, preserving the existing Last-Modified and If-Modified-Since flow; add a [no] static-cache-control directive for opting out, and advertise Vary: Accept-Encoding whenever gzip-static is enabled. OK: claudio@

OK job@

Location configuration inherited most server level options but dropped gzip-static, so requests matching a location skipped static gzip lookup even when the parent server enabled it. Add an explicit no gzip-static state and inherit the gzip flag pair only when the location has not set either form, preserving location specific overrides. Reported by and OK: job@

Tweak and OK claudio@

OK claudio

for GET, HEAD and other methods that should have no body. Ignoring the Content-Length header makes httpd vulnerable to HTTP request smuggling. A crafted GET request may embed an extra HTTP request which could bypass a proxy or WAF but then is handled by httpd. Remove the special case for TRACE and CONNECT in the Content-Length handling. Move those checks into the method switch at the end of the header parsing phase and by that also cover more methods including GET and HEAD. If either header is present simply abort the connection, nobody should send extra data along GET and HEAD requests. Add an an explicit HTTP_METHOD_TRACE case above the default case to indicated that we deliberately don't handle TRACE requests. This security vulnerability was found by Nicola Staller of SySS GmbH. With and OK rsadowski@ previous version also OK florian@

This leads to a use-after-free since the bev->readcb() call could free the memory holding the bev right before the bufferevent_enable() call. Reported by Pontus Stenetorp. OK florian@ rsadowski@

The things that need quoting are not necessarily "argument names", and not even necessarily "names" at all, so just talk about "arguments". "I guess?" florian@ and no objection from otto@, both back in July 2025. Actually, the quoting rules are more complicated than the text makes believe, but i do not know how to better describe them. It may not be easy because some suspect the implementation may be somewhat adhoc rather than based on cleary defined lexical rules.

Spotted by tb@, ok claudio

- httpd.c:533 – q assigned but immediately overwritten in the loop - server.c:891 – inrd/inwr assigned, then reassigned, never actually needed - server_fcgi.c:678,690 – kv result unused OK stsp@

The HTTP standard RFC 9110 requires GMT, in HTTP-date. We used to do this until a recent change to localtime.c changed GMT to UTC. From Sören Tempel, ok sthen

Introduces a global and per-server "[no] banner" directive that prevents httpd from sending the Server HTTP response header and removes server identification from error documents. The SERVER_SOFTWARE CGI environment variable remains set as required by RFC 3875. Diff by Lloyd (thanks), ok kirill@

GZIP_STATIC flag at position \33 was missing from the debug string. Also correct the truncated PATH_REWRITE/NO_PATH_REWRITE flag names. The PATH_REWRITE and NO_PATH_REWRITE flag names were truncated to PATH and NO_PATH in the SRVFLAG_BITS string definition. OK kirill@ deraadt@

between httpd programs, and provided a fix. ok claudio benno florian

and the titles from all caps to sentence case such that they match the table of contents, and switch from .Sy to .Sx as needed. OK florian@

the syntax of both defining and using macros, rather than exclusively relying on examples, which some of the pages do not even provide. In those pages containing tables of content, also clarify that the "Macros" section contains *definitions* of variables. Both changes were already committed to vm.conf(5) earlier. In those few pages that referenced cpp(1) and m4(1), stop doing that because the macro definition syntax and the macro dereferencing syntax of both languages is totally different from the parse.y syntax. OK florian@, and deraadt also requests keeping these manuals in sync.

On accept(2), httpd(8) sets the timeout based on ip:port. Once we have parsed the http headers we can find the name-based server block and apply its request timeout. Problem identified and fix from Nick Owens, thanks! OK tb

imsgbuf_allow_fdpass. OK tb@

OK tb@

OK tb@