Disabled requests with both Content-Length and Transfer-Encoding. HTTP clients are not allowed to generate such requests since Transfer-Encoding introduction in RFC 2068, and they are not expected to appear in practice except in attempts to perform a request smuggling attack. While handling of such requests is strictly defined, the most secure approach seems to reject them.

commit: 1acbef181d4675565c76b313d3cc14a5f0302703 [log] [tgz]
author: Maxim Dounin <mdounin@mdounin.ru> Mon Jun 28 18:01:06 2021 +0300
committer: Maxim Dounin <mdounin@mdounin.ru> Mon Jun 28 18:01:06 2021 +0300
tree: bd21103b535e3375e2e91aa789d1dd8aa0d13f4e
parent: 12790af93730924f04993d25bd232a5ff6a58d76 [diff]
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 5b26138..2614b99 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c

@@ -1985,8 +1985,15 @@
             && ngx_strncasecmp(r->headers_in.transfer_encoding->value.data,
                                (u_char *) "chunked", 7) == 0)
         {
-            r->headers_in.content_length = NULL;
-            r->headers_in.content_length_n = -1;
+            if (r->headers_in.content_length) {
+                ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                              "client sent \"Content-Length\" and "
+                              "\"Transfer-Encoding\" headers "
+                              "at the same time");
+                ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+                return NGX_ERROR;
+            }
+
             r->headers_in.chunked = 1;
 
         } else {
commit	1acbef181d4675565c76b313d3cc14a5f0302703	[log] [tgz]
author	Maxim Dounin <mdounin@mdounin.ru>	Mon Jun 28 18:01:06 2021 +0300
committer	Maxim Dounin <mdounin@mdounin.ru>	Mon Jun 28 18:01:06 2021 +0300
tree	bd21103b535e3375e2e91aa789d1dd8aa0d13f4e
parent	12790af93730924f04993d25bd232a5ff6a58d76 [diff]