Download raw body.
relayd: reject duplicate Content-Length headers with 400
OK?
commit 8db53823fb3943b49a6caf64a2e8dab88653b4aa
Author: Rafael Sadowski <rafael@sizeofvoid.org>
Date: Fri Jul 10 16:25:13 2026 +0200
relayd: reject duplicate Content-Length headers with 400
Only Host was marked unique, so a request with two Content-Length
fields was framed on the last value but forwarded with both, allowing
a backend to desync and smuggle a request past the filter rules. Mark
Content-Length unique so the second occurrence is rejected in kv_add().
diff --git a/relay_http.c b/relay_http.c
index 170c3ce..a4c965e 100644
--- a/relay_http.c
+++ b/relay_http.c
@@ -402,8 +402,9 @@ relay_read_http(struct bufferevent *bev, void *arg)
goto abort;
}
- /* The "Host" header must only occur once. */
- unique = strcasecmp("Host", key) == 0;
+ /* The following headers must only occur once. */
+ unique = strcasecmp("Host", key) == 0 ||
+ strcasecmp("Content-Length", key) == 0;
if ((hdr = kv_add(&desc->http_headers, key,
value, unique)) == NULL) {
relayd: reject duplicate Content-Length headers with 400