> Playing devils advocate here. If your request makes it through the WAF / > reverse proxy then aren't those systems vulnerable to this and not httpd?
Yes. That's the problem with these request smuggling bugs; you often need a bug in the middlebox *and* the origin server to exploit them, but they only violate the security model of the middlebox. I'd say that correctness is more important than assigning blame here, though. Best to fix it in both places? -Ben
