httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 57832] Reduction of response splitting attacks consequences in mod_proxy
Date Wed, 13 May 2015 09:29:50 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=57832

--- Comment #5 from Yann Ylavic <ylavic.dev@gmail.com> ---
Created attachment 32734
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=32734&action=edit
Patch for 2.4.x (r1516930+r1516965+r1530603+r1530792+r1656259+PR57832)

(In reply to regilero from comment #4)
> I've tried to apply things from r1656259 and then your proposed patch. But
> neither patch or myself are able to find where to apply theses changes in
> the 2.4 branch. I think you'll need to make a regular 2.4 patch version if
> you want me to try it :-)

Yes, sorry, there are missing bits before r1656259.
The attached patch applies both to 2.4.x and 2.4.12, thanks for testing!

> I wonder if preventing any mod_proxy module
> to handle non-transactionnal communications is a good move.

As you can see, this patch only affects mod_proxy_http and mod_proxy_ajp (both
transactionnal), the others do not reuse backend connections when done (polling
loop until EOF), hence don't use ap_proxy_is_socket_connected().
The only change here is that the caller can now also know if the socket is
readable (in addition to simply still connected), transactionnal proxy modules
may use that (as this patch does).

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message