It is the old length. From the Wiki for HTTP:payload replace: To clarify, the length argument should be the length of original content to replace. In order to replace the entire payload, the offset should be 0 and the length should be the original size in bytes of the payload. The original content length can typically be retrieved using [HTTP::header value Content-Length].
It would have to work this way otherwise you could never replace a string shorter than the original length. There would always be something left in the end. Payload is NOT a register-type location where it has an atomic value. Since the engine is perfectly capable of determining the length of the new string, there would be no need for you to tell it how much of the new string to replace. Granted, if the documentation is wrong, then this has seriously changed, but as I said, how could it work any other way.
Note if you did want to only replace the payload starting at 0 with a part of the new string, then you would have to use a function to take only the desired number of bytes from the new string.
Regards,
Tom