Because Pound parses chunk sizes using strtoll(, , 16), chunk sizes that begin with 0x are erroneously accepted and forwarded. - and + prefixes are also accepted for the same reason, though - is only accepted when the chunk size is 0. This is not permitted in the HTTP RFCs, and can lead to problems for downstream servers because some servers interpret chunk sizes that begin with 0x as equivalent to 0. This can be used for request smuggling against such servers.
Because Pound parses chunk sizes using
strtoll(, , 16)
, chunk sizes that begin with0x
are erroneously accepted and forwarded.-
and+
prefixes are also accepted for the same reason, though-
is only accepted when the chunk size is 0. This is not permitted in the HTTP RFCs, and can lead to problems for downstream servers because some servers interpret chunk sizes that begin with0x
as equivalent to0
. This can be used for request smuggling against such servers.