[Bug 1226217] Regression of security fix: Apache ignores headers sent by CGI scripts
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1226217
https://bugzilla.suse.com/show_bug.cgi?id=1226217#c8
--- Comment #8 from David Anes
Here a short test script showing both issues:
#!/usr/bin/perl
print "Status: 200 OK\r\n"; print "Transfer-Encoding: chunked\r\n"; print "Content-Length: 3\r\n"; print "\r\n"; print "3\r\n"; print "---\r\n"; print "0\r\n"; print "\r\n";
Isn't this wrong as per http spec?
3. If a message is received with both a Transfer-Encoding and a Content-Length header field, the Transfer-Encoding overrides the Content-Length. Such a message might indicate an attempt to perform request smuggling (Section 11.2) or response splitting (Section 11.1) and ought to be handled as an error. An intermediary that chooses to forward the message MUST first remove the received Content-Length field and process the Transfer-Encoding (as described below) prior to forwarding the message downstream.
https://www.rfc-editor.org/rfc/rfc9112#name-message-body-length The problem I see is that our patches are missing a patch that was added later to show an error instead of processing the request (https://github.com/apache/httpd/pull/444) Can you try the same but removing "Transfer-Encoding" from the perl CGI? -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com