openlitespeed icon indicating copy to clipboard operation
openlitespeed copied to clipboard
verified publisher icon litespeedtech

OLS ignores unrecognized transfer encodings

Open kenballus opened this issue 1 year ago • 1 comments

When OLS receives a message with an unrecognized Transfer-Encoding value, it is ignored. This is dangerous because the Transfer-Encoding header affects message framing, so there is little certainty that received messages with unrecognized transfer codings are interpreted correctly.

RFC 9112 suggests that implementations respond 501 to unrecognized transfer codings:

A server that receives a request message with a transfer coding it does not understand SHOULD respond with 501 (Not Implemented).

Nearly all other HTTP implementations (including AIOHTTP, Apache httpd, Cheroot, Daphne, Deno, FastHTTP, Go net/http, Gunicorn, H2O, HAProxy, Hyper, Hypercorn, Jetty, Libsoup, Lighttpd, Mongoose, Nginx, Node.js, Passenger, Puma, Tomcat, Tornado, Uvicorn, Waitress, WEBrick, Apache Traffic Server, nghttpx, Pound, Squid, Varnish, Akamai, Cloudflare, Google Classic App. LB, Envoy, and relayd) follow this advice, and OLS probably should too.

kenballus avatar Jun 28 '24 17:06 kenballus

should be fixed in 1.8.2

litespeedtech avatar Sep 14 '24 15:09 litespeedtech

Confirmed.

kenballus avatar Dec 31 '24 22:12 kenballus