For context: http://martin.swende.se/blog/HTTPChunked.html
This was discussed a little on the security@ list last year but it's a difficult issue and there was not any consensus beyond the fact that the current behaviour is wrong, and "punt to dev@". There is a separate thread about how to fix this, which Eric just re-started, but it would be good to discuss/find consensus on the security impact. The API for handling trailer fields is unspecified, which is really why this bug exists; modules don't really expect those trailers to get merged into r->headers_in at a "surprising" time during request processing. I'd argue that gateway modules can/should handle this case correctly, regardless of the httpd API; hence this is not a security issue in httpd as such. For example, with mod_proxy acting as a reverse proxy, no headers can get "accidentally" passed through, since mod_proxy captures the request headers before processing the request body. Regards, Joe