httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@gonzo.ben.algroup.co.uk>
Subject Re: security holes and other fun stuff
Date Tue, 16 Jul 1996 20:50:12 GMT
Alexei Kosut wrote:
> 
> On Tue, 16 Jul 1996, Ben Laurie wrote:
> 
> > > Hmm. No. I think the real solution (and http11.patch has this in it, btw,
> > > since the HTTP/1.1 spec mandates it*) is to change line 376 from ": 0" to
> > > ": 80". Try that, see if it works.
> > 
> > Shouldn't it be the port the connection is on rather than 80?
> 
> I dunno. I suppose that would be the ideal way to do it; Apache
> wouldn't have to know anything about https then. But the HTTP/1.1 spec
> does say that it should be interpreted as the default port. I do
> agree, though, that IMHO, the best may be to change ": 0" to ":
> r->server->port".
> 
> [...]
> 
> > Of course, if the connection is HTTPS, the "default port" is 443. But, like I
> > say, I think no port should mean "the same port as this connection".
> 
> I don't know if we get to make that decision. Roy?

I put some Deep Thought (tm) into this while building Apache-SSL 1.1.1+1.3, and
I decided that, in fact, no port number really should mean the default port,
for consistency with the rest of the universe. This is the patch that
Apache-SSL applies to 1.1.1 anyway.

Whilst we're on the subject of virtual hosts, something has been nagging at me.
The other day, we set up a server running on 127.0.0.1. Then we wanted to
extend it to 127.0.0.2 (we were doing some experiments), so the trainee
Webmaster set up two virtual hosts:

<VirtualHost 127.0.0.1>
stuff
</VirtualHost>

<VirtualHost 127.0.0.2>
stuff
</VirtualHost>

This caused Apache to crash. Commenting out the first pair of VirtualHosts
sorted it out. It would be neat if this worked, IMHO. Certainly it shouldn't
crash.

Thoughts?

Cheers,

Ben.

> 
> -- 
> ________________________________________________________________________
> Alexei Kosut <akosut@nueva.pvt.k12.ca.us>      The Apache HTTP Server
> URL: http://www.nueva.pvt.k12.ca.us/~akosut/   http://www.apache.org/
> 

-- 
Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant and    Fax:   +44 (181) 994 6472
Technical Director          Email: ben@algroup.co.uk
A.L. Digital Ltd,           URL: http://www.algroup.co.uk
London, England.            Apache Group member (http://www.apache.org)

Mime
View raw message