maskit commented on issue #11036: URL: https://github.com/apache/trafficserver/issues/11036#issuecomment-1928076310
The behavior is based on this paragraph. https://www.rfc-editor.org/rfc/rfc9112#section-6.3-2.3 > If a message is received with both a [Transfer-Encoding](https://www.rfc-editor.org/rfc/rfc9112#field.transfer-encoding) and a [Content-Length](https://www.rfc-editor.org/rfc/rfc9112#body.content-length) header field, the Transfer-Encoding overrides the Content-Length. Such a message might indicate an attempt to perform request smuggling ([Section 11.2](https://www.rfc-editor.org/rfc/rfc9112#request.smuggling)) or response splitting ([Section 11.1](https://www.rfc-editor.org/rfc/rfc9112#response.splitting)) and ought to be handled as an error. An intermediary that chooses to forward the message MUST first remove the received Content-Length field and process the Transfer-Encoding (as described below) prior to forwarding the message downstream. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
