When uhttpd receives a request with both a Transfer-Encoding: chunked and a Content-Length header, it prioritizes the Content-Length header. This is disallowed by RFC 9112, section 6.1:
A server MAY reject a request that contains both Content-Length and Transfer-Encoding or process such a request in accordance with the Transfer-Encoding alone. Regardless, the server MUST close the connection after responding to such a request to avoid the potential attacks.
I suggest that uhttpd respond 400 and close the connection in response to requests containing both headers. These requests are very uncommon and indicate a likely attempted request smuggling attack.
When uhttpd receives a request with both a
Transfer-Encoding: chunkedand aContent-Lengthheader, it prioritizes theContent-Lengthheader. This is disallowed by RFC 9112, section 6.1:I suggest that uhttpd respond 400 and close the connection in response to requests containing both headers. These requests are very uncommon and indicate a likely attempted request smuggling attack.