RFC 9110 Section 5.6.4:
qdtext = HTAB / SP / %x21 / %x23-5B / %x5D-7E / obs-text
quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text )
CR and LF bytes aren't in any of these ranges - they're simply not allowed inside chunk-ext at all, quoted or not. A strict parser should reject the request with 400 if it sees CR/LF before the actual line terminator.
Squid does this; HaProxy recently did change to do some extra validation.
RFC 9110 Section 5.6.4:
CR and LF bytes aren't in any of these ranges - they're simply not allowed inside chunk-ext at all, quoted or not. A strict parser should reject the request with 400 if it sees CR/LF before the actual line terminator.
Squid does this; HaProxy recently did change to do some extra validation.