httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <>
Subject Re: [finrod@EWOX.ORG: YA Apache DoS attack]
Date Sun, 09 Aug 1998 00:55:19 GMT
>For this specific pathology.. is it permissable for the server to
>*not* merge field values if the existing concatenation already
>includes them?  That is, don't merge "Header: foo" if the
>accumulated value of Header already includes "foo"?  Roy?

Yes, that's what I thought merge already did.  Hmmm, guess not.
That would not stop the DoS attack though -- they'd just replace the
value with a counter.

The best solution would be to do what is planned for 2.0.  That is,
replace all parsing and access to header values with a tokenized
hash table and linked lists for values.  But I wouldn't want to do
that for 1.3 because it would cause hell for 3rd party modules
(or at least would be hell providing backward compatible interfaces).

Let's start with the easiest solution (configurable limits) and work
from there.


View raw message