Download raw body.
relayd: reject duplicate Content-Length headers with 400
On Fri, 10 Jul 2026 16:29:25 +0200,
Rafael Sadowski <rafael@sizeofvoid.org> wrote:
>
> OK?
>
Make sense and reads OK kirill@
> commit 8db53823fb3943b49a6caf64a2e8dab88653b4aa
> Author: Rafael Sadowski <rafael@sizeofvoid.org>
> Date: Fri Jul 10 16:25:13 2026 +0200
>
> relayd: reject duplicate Content-Length headers with 400
>
> Only Host was marked unique, so a request with two Content-Length
> fields was framed on the last value but forwarded with both, allowing
> a backend to desync and smuggle a request past the filter rules. Mark
> Content-Length unique so the second occurrence is rejected in kv_add().
>
> diff --git a/relay_http.c b/relay_http.c
> index 170c3ce..a4c965e 100644
> --- a/relay_http.c
> +++ b/relay_http.c
> @@ -402,8 +402,9 @@ relay_read_http(struct bufferevent *bev, void *arg)
> goto abort;
> }
>
> - /* The "Host" header must only occur once. */
> - unique = strcasecmp("Host", key) == 0;
> + /* The following headers must only occur once. */
> + unique = strcasecmp("Host", key) == 0 ||
> + strcasecmp("Content-Length", key) == 0;
>
> if ((hdr = kv_add(&desc->http_headers, key,
> value, unique)) == NULL) {
>
--
wbr, Kirill
relayd: reject duplicate Content-Length headers with 400