kenballus opened a new issue, #12142: URL: https://github.com/apache/trafficserver/issues/12142
(Tested on ATS built from `master` @ 090141a380558446621d920064a7f958ac5e5e43) The HTTP RFCs are clear that bare LF is not a valid line ending within chunked message bodies. See [here](https://www.rfc-editor.org/errata/eid7633) for an explicit statement of that fact. ATS accepts bare LF as a line ending within chunked message bodies. Further when ATS forwards such messages without normalizing the bare LFs to CRLFs. For example, if you send ATS the following request: ``` POST / HTTP/1.1\r\n Host: whatever\r\n Transfer-Encoding: chunked\r\n \r\n 0\n \r\n ``` ...it forwards the following: ``` POST / HTTP/1.1\r\n Host: echo\r\n Client-ip: 172.18.0.1\r\n X-Forwarded-For: 172.18.0.1\r\n Via: http/1.1 traffic_server[fff5947b-4ec5-46e1-8e34-856ad7e07864] (ApacheTrafficServer/10.2.0)\r\n Transfer-Encoding: chunked\r\n \r\n 0\n \r\n ``` Note that the bare LF made it through unchanged. # Recommended fix Respond to all requests with bare LFs in chunked message bodies with status 400. If that's too restrictive, then translating the bare LFs to CRLFs might also be sufficient. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
