RFC 9112 sections 6.1 and 6.3 identify a request containing both Transfer-Encoding and Content-Length as ambiguous request smuggling input. httpd is the origin server, not an intermediary, so it should not rewrite the message and continue processing it. Reject chunked requests that also carry Content-Length before method specific body handling or FastCGI parameter generation; this avoids exposing inconsistent framing metadata to applications. Reproted by: Stuart Thomas OK: rsaodwski@

Replace silent kv_extend normalisation with an unconditional 400. RFC 9112 5.2 explicitly permits rejection; it is the safer choice over SP replacement, which hides parser ambiguity downstream. Reported by Stuart Thomas, OK kirill@

The current code is broken so rework server_read_httpchunks() to properly implement chunked transfer-encoding. Chunked uploads only matter for fastcgi handlers, so adjust them to operate with chunked uploads. The problem is that the CGI spec mandates that CONTENT_LENGTH is set but for chunked transfers the content-length header is actually not allowed. Both fastcgi and cgi don't really need CONTENT_LENGTH since the data is passed via FCGI_STDIN messages or a pipe and in both cases EOF can be signaled just fine. Still some cgi/fastcgi handlers depend on the presence of CONTENT_LENGTH and so those fail to process such chunked uploads. For this reason add a config option to opt-in for chunked uploads but by default any upload with transfer-encoding chunked will result in a HTTP 400 error. OK kirill@ rsadowski@

Teach httpd to advertise static file revalidation by default with Cache-Control: no-cache, preserving the existing Last-Modified and If-Modified-Since flow; add a [no] static-cache-control directive for opting out, and advertise Vary: Accept-Encoding whenever gzip-static is enabled. OK: claudio@

OK job@

Location configuration inherited most server level options but dropped gzip-static, so requests matching a location skipped static gzip lookup even when the parent server enabled it. Add an explicit no gzip-static state and inherit the gzip flag pair only when the location has not set either form, preserving location specific overrides. Reported by and OK: job@

Tweak and OK claudio@

OK claudio