Reject Transfer-Encoding in pre-HTTP/1.1 requests
Origin: upstream
Applied-Upstream: https://github.com/apache/trafficserver/commit/
e2c9ac217f24dc3e91ff2c9f52b52093e8fb32d5
Reviewed-by: Jean Baptiste Favre <debian@jbfavre.org>
Last-Update: 2022-05-21
Per spec, Transfer-Encoding is only supported in HTTP/1.1. For earlier
versions, we must reject Transfer-Encoding rather than interpret it
since downstream proxies may ignore the chunk header and rely upon the
Content-Length, or interpret the body some other way. These differences
in interpretation may open up the door to compatibility issues. To
protect against this, we reply with a 4xx if the client uses
Transfer-Encoding with HTTP versions that do not support it.
Last-Update: 2022-05-21
Gbp-Pq: Name 0019-CVE_2021_37148.patch
projects / trafficserver.git / commit