Pieces of how this happened, and some of the fixes implemented, don't instill much confidence.
Amongst other issues, this was triggered by a lack of case-insensitive handling of the HTTP "Content-Length" header. https://phabricator.services.mozilla.com/D135871 has one of the commits that landed as a result of this, and while it does change the handling to be case insensitive, it raises even more questions on the HTTP/3 stack. For instance, this is doing a string search across the HTTP headers for the string "content-length". Does that string appear in a cookie? Well you just got the wrong content length. It's extremely concerning that this isn't downstream of something that has pre-parsed the headers and has them indexed by their parsed out names.
Amongst other issues, this was triggered by a lack of case-insensitive handling of the HTTP "Content-Length" header. https://phabricator.services.mozilla.com/D135871 has one of the commits that landed as a result of this, and while it does change the handling to be case insensitive, it raises even more questions on the HTTP/3 stack. For instance, this is doing a string search across the HTTP headers for the string "content-length". Does that string appear in a cookie? Well you just got the wrong content length. It's extremely concerning that this isn't downstream of something that has pre-parsed the headers and has them indexed by their parsed out names.