Yeah, httpd is riddled with request smuggling bugs. relayd is also really bad. I reported a lot of these things about a year ago, and most of it wasn't patched. I figured that if I'm the only person who cares about this, I should write the patch (and I haven't), so I guess it's on me :)
These servers should not be used to serve requests containing bodies. httpd has a much worse bug right now, which is that any POST request that gets handled by FastCGI will have its body echoed before the response. Afaik this wasn't fixed either, because it couldn't be decided whether it's better to remove support for FastCGI-handled requests for bodies, or fix the bug. -Ben
