httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@gonzo.ben.algroup.co.uk>
Subject Re: security holes and other fun stuff
Date Tue, 16 Jul 1996 09:05:55 GMT
Alexei Kosut wrote:
> 
> On Mon, 15 Jul 1996, sameer wrote:
> 
> > OK, I'll go into my reasoning...
> 
> [...]
> 
> Okay... I'll buy what you say. But getting rid of the "!port" is *not* the
> way to do it.
> 
> > You're connecting to port 80, so the configuration needs to stay at
> > r->server, but actually the configuration got changes to
> > r->server->next. Looks like a problem to me.
> > 
> > 	Perhaps changing
> > 
> >   for (s = r->server->next; s; s = s->next)
> > to
> >   for(s = r->server; s; s = s->next)
> > 
> > is the real solution?
> 
> Hmm. No. I think the real solution (and http11.patch has this in it, btw,
> since the HTTP/1.1 spec mandates it*) is to change line 376 from ": 0" to
> ": 80". Try that, see if it works.

Shouldn't it be the port the connection is on rather than 80?

> 
> * Historical note: Originally, when http-wg decided to use the Host:
> header (as opposed to Orig-URI:), the spec said the format of the header
> should be "Host: f.q.d.n", the port number being obtainable via other
> means. However, Netscape screwed up and made it "Host: f.q.d.n:portnum" if
> there was a port in the original URI. So the spec was changed. However,
> there are still a couple browsers out there (old versions of emacs-w3, I
> think, mostly) that don't send the port number, so Apache 1.1's code,
> if there is no port number in the Host: header, will match any port. (it
> also makes it a lot easier to debug a server, because you don't have to
> reach your finger over and hit the colon, then a bunch of numbers *grin*)
> But the HTTP/1.1 spec does mandate that no port number should be intereted
> as the "default port" (80). So we have to change it eventually, and I
> think it may solve your problem at the same time.

Of course, if the connection is HTTPS, the "default port" is 443. But, like I
say, I think no port should mean "the same port as this connection".

Cheers,

Ben.

> 
> -- Alexei Kosut <akosut@organic.com>            The Apache HTTP Server 
>    http://www.nueva.pvt.k12.ca.us/~akosut/      http://www.apache.org/
> 

-- 
Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant and    Fax:   +44 (181) 994 6472
Technical Director          Email: ben@algroup.co.uk
A.L. Digital Ltd,           URL: http://www.algroup.co.uk
London, England.

Mime
View raw message