On Mon, Apr 13, 2026 at 01:51:41PM +0000, Ben Kallus wrote: > > Playing devils advocate here. If your request makes it through the WAF / > > reverse proxy then aren't those systems vulnerable to this and not httpd? > > Yes. That's the problem with these request smuggling bugs; you often > need a bug in the middlebox *and* the origin server to exploit them, > but they only violate the security model of the middlebox. I'd say > that correctness is more important than assigning blame here, though. > Best to fix it in both places?
I agree that we should fix these issues in httpd. This is just once again a case where Postel's law went wrong but the security impact of this is minimal. -- :wq Claudio
