Return-Path: X-Original-To: apmail-httpd-bugs-archive@www.apache.org Delivered-To: apmail-httpd-bugs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0E74817FB8 for ; Mon, 18 May 2015 09:03:13 +0000 (UTC) Received: (qmail 99702 invoked by uid 500); 18 May 2015 09:03:12 -0000 Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 99648 invoked by uid 500); 18 May 2015 09:03:12 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: "Apache HTTPD Bugs Notification List" List-Id: Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 99638 invoked by uid 99); 18 May 2015 09:03:12 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 May 2015 09:03:12 +0000 Received: from asf-bz1-us-mid.priv.apache.org (nat1-us-mid.apache.org [23.253.172.122]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPS id 81C0A1A05CE for ; Mon, 18 May 2015 09:03:12 +0000 (UTC) Received: by asf-bz1-us-mid.priv.apache.org (ASF Mail Server at asf-bz1-us-mid.priv.apache.org, from userid 33) id 8CEA961145; Mon, 18 May 2015 09:03:11 +0000 (UTC) From: bugzilla@apache.org To: bugs@httpd.apache.org Subject: [Bug 57832] Reduction of response splitting attacks consequences in mod_proxy Date: Mon, 18 May 2015 09:03:11 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Apache httpd-2 X-Bugzilla-Component: mod_proxy X-Bugzilla-Version: 2.4.12 X-Bugzilla-Keywords: X-Bugzilla-Severity: enhancement X-Bugzilla-Who: regis.leroy@makina-corpus.com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: bugs@httpd.apache.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bz.apache.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 https://bz.apache.org/bugzilla/show_bug.cgi?id=57832 --- Comment #9 from regilero --- This version is OK. Stored injections are always detected, small and big. The only way to inject a new response is to have a fine control of the backend stream and use timers between responses, which ,by definition, cannot be detected by mod_proxy. So it's almost good. I think there's maybe just one problem with responses from backends containing one extra CRLF. This is already managed by mod_proxy and allowed by the RFC. But here, if I'm not wrong on my tests, it makes a connection status 2. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org