Tree

Tree:
40454962a57fe543bee8a79f46911accac738488
Date:
Message:
httpd: reject CL.TE request framing RFC 9112 sections 6.1 and 6.3 identify a request containing both Transfer-Encoding and Content-Length as ambiguous request smuggling input. httpd is the origin server, not an intermediary, so it should not rewrite the message and continue processing it. Reject chunked requests that also carry Content-Length before method specific body handling or FastCGI parameter generation; this avoids exposing inconsistent framing metadata to applications. Reproted by: Stuart Thomas OK: rsaodwski@
Makefilecommits | blame
config.ccommits | blame
control.ccommits | blame
css.h.incommits | blame
http.hcommits | blame
httpd.8commits | blame
httpd.ccommits | blame
httpd.conf.5commits | blame
httpd.hcommits | blame
js.h.incommits | blame
log.ccommits | blame
log.hcommits | blame
logger.ccommits | blame
parse.ycommits | blame
patterns.7commits | blame
patterns.ccommits | blame
patterns.hcommits | blame
proc.ccommits | blame
server.ccommits | blame
server_fcgi.ccommits | blame
server_file.ccommits | blame
server_http.ccommits | blame
toheader.sedcommits | blame