Hi Ben, Thanks for the context. It’s definitely frustrating when architectural flaws persist due to the complexity of the HTTP state machine.
You mentioned that you didn't write the patches for your previous findings. Fortunately, for this specific RFC 7230 violation (the silent fallback to Content-Length when encountering an invalid Transfer-Encoding), the fix is extremely trivial. I have already included the exact C patch in my original report. It merely requires adding an else branch in server_http.c to explicitly return a 400 Bad Request and drop the connection, rather than allowing the parser to default to clt_toread. Hopefully, since the patch is already provided and isolated, the maintainers will consider merging it to permanently close this specific smuggling vector. Best, -Mohamed
