httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: [PATCH] Make proxy CONNECT work again - Take 1
Date Mon, 30 Mar 1998 22:25:41 GMT
On Mon, 30 Mar 1998, Brian Behlendorf wrote:

> > and limits it so you can
> >_only_ connect to https and snews ports and no others.  That is what makes
> >it doubtful to me.
> 
> With some work we can remove this too.  One disturbing thing is line 121:
> 
>     if (p == NULL)
>         port = DEFAULT_HTTPS_PORT;
> 
> it looks like the claim that CONNECT can be ignorant of protocol used is
> specious if the proxy has to know what the default port for a given URL
> scheme is.  Could we make this something like
> 
>    if (p == NULL)
>        port = get_default_port_from_scheme(scheme)
> 
> but wait - where does it get the scheme?  seems like it only gets
> "host[:port]/path".  Grr?
> 
> I really want to make sure there's nothing that makes Apache inexportable
> to every country on earth.

Hey, it is still exportable to Canada.  <g>

But the problem is the check to only allow connections to certain ports is
there for a reason: to prevent people from doing bad things to other ports
and hiding behind a proxy.  Connecting to arbitrary ports through CONNECT
isn't good.

> 
> 	Brian
> 
> 
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> "Optimism is a strategy for making                         brian@apache.org
> a better future." - Noam Chomsky                        brian@hyperreal.org
> 


Mime
View raw message