httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@algroup.co.uk>
Subject Re: [Bug 9488] - HTTP/0.9 requests spoken on https port returns HTTP/1.0 response
Date Tue, 04 Jun 2002 10:15:21 GMT
Ryan Bloom wrote:
>>From: Ben Laurie [mailto:ben@algroup.co.uk]
>>
>>Cliff Woolley wrote:
>>
>>>On Mon, 3 Jun 2002, Ryan Bloom wrote:
>>>
>>>
>>>
>>>>I was actually just about to look at this problem if you are busy.
>>>
>>>
>>>Go for it... I'm working on something else.
>>
>>Perhaps its just me, but I'm amused this is considered a bug.
> 
> 
> It's a security hole IMO.  The problem is that if you rewrite the URL
> .*, then the error URL that mod_ssl will be rewritten.  This means that
> you can serve information over HTTP that was supposed to be restricted
> to HTTPS.

Sorry, I don't understand this - seems like you missed a word or two out?

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff


Mime
View raw message