Tinyproxy - HTTP Request Smuggling via CL/TE Desynchronization

An attacker sends an HTTP request containing both `Content-Length` and `Transfer-Encoding: chunked` headers (CL/TE desync) or multiple `Content-Length` headers with different values. Tinyproxy uses the first `Content-Length` value to determine how many body bytes to consume, but forwards all headers verbatim to the backend. The backend, per RFC 7230, uses `Transfer-Encoding` when both are present (CL/TE case) or the last `Content-Length` value (duplicate CL case), causing the proxy and backend to disagree on request boundaries. This desynchronization allows the attacker to inject arbitrary HTTP requests into the backend connection, enabling cache poisoning, access control bypass, and request hijacking [CWE-444] [ref_id=1].

The vulnerability resides in `src/reqs.c` where `process_client_headers()` uses `Content-Length` to determine body size but forwards both `Content-Length` and `Transfer-Encoding: chunked` headers to the backend. Additionally, `src/pseudomap.c`'s `pseudomap_append()` unconditionally adds duplicate headers, and the forwarding loop in `src/reqs.c:953-971` sends all duplicates to the backend.

Patch [patch_id=6466823] modifies `process_client_headers()` in `src/reqs.c` to check for `Transfer-Encoding: chunked` regardless of whether `Content-Length` is present. When both headers exist, it removes the `Content-Length` header from the forwarded set, preventing the CL/TE desync. Patch [patch_id=6466822] adds a duplicate `Content-Length` check in `add_header_to_connection()` in `src/reqs.c`, returning early if a `Content-Length` header already exists, thus preventing multiple `Content-Length` headers from being emitted to the backend.