Hello,
ICAP prohibits forwarding of hop-by-hop headers in HTTP headers. If
the virgin request has a "Transfer-Encoding: chunked" header, the ICAP
server will not receive it. Thus, when the ICAP server responds with a
200 OK and what it thinks is an identical copy of the HTTP request, the
adapted request will be missing the Transfer-Encoding header.
One the server side, Squid used to test whether the request had a
Transfer-Encoding header to determine whether request chunking is needed
when talking to the next HTTP hop. That test would fail in ICAP presence.
This change implements a more direct/robust check: if we do not know the
request content length, we chunk the request.
We also no longer forward the Content-Length header if we are chunking.
It should not really be there in most cases, but an explicit check is
safer and may also prevent request smuggling attacks via Connection:
Content-Length tricks.
This fix has been tested in a production environment.
Thank you,
Alex.
This archive was generated by hypermail 2.2.0 : Wed Apr 06 2011 - 12:00:15 MDT