https://bz.apache.org/bugzilla/show_bug.cgi?id=68970
--- Comment #7 from Joe Orton <[email protected]> --- This is surely a consequence of r1916769 which clears Transfer-Encoding (unconditionally). IMO there is not well-defined behaviour from having CGI scripts send chunked responses. In CGI the response body is a set of bytes delimited by EOF. The CGI spec is arguably not written in precise enough language that sending a chunked response is not explicitly disallowed but it is hardly obvious that it's correct/supported. https://datatracker.ietf.org/doc/html/rfc3875#section-6.4 The response body is clearly defined as "a set of bytes delimited by EOF". A response body with the chunked transfer-coding applied is obviously is a very different thing. Regardless, we have a long history of having to clamp down on spec ambiguity to avoid security issues, and CVE-2024-24795 is another such case. Things which happened to work historically will no longer work and users should adapt accordingly. Maybe we could allow extend the "ap_trust_cgilike_cl" interpretation to also allow T-E. We do happen to have one test case for a CGI script sending a chunked response - which seems to work still, likely because it's only five bytes of content. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
