httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 57832] Reduction of response splitting attacks consequences in mod_proxy
Date Mon, 18 May 2015 09:03:11 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=57832

--- Comment #9 from regilero <regis.leroy@makina-corpus.com> ---
This version is OK.

Stored injections are always detected, small and big.
The only way to inject a new response is to have a fine control of the backend
stream and use timers between responses, which ,by definition, cannot be
detected by mod_proxy.

So it's almost good. I think there's maybe just one problem with responses from
backends containing one extra CRLF. This is already managed by mod_proxy and
allowed by the RFC. But here, if I'm not wrong on my tests, it makes a
connection status 2.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message