httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: Christopher Williamson: URGENT: Bug/compatability issue in Apache 1.3.26 (fwd)
Date Fri, 05 Jul 2002 14:14:27 GMT
Forwarded message:
> 
> +1 for the directive and default setting
> 
> :)
> 
> david
> ----- Original Message -----
> From: "Jim Jagielski" <jim@jaguNET.com>
> To: <pmc@httpd.apache.org>
> Sent: Thursday, July 04, 2002 3:55 PM
> Subject: Re: Christopher Williamson: URGENT: Bug/compatability issue in
> Apache 1.3.26
> 
> 
> > Kraemer, Martin wrote:
> > >
> > > This test is meant against spoofing attempts (like sending
> > > GET /thefile HTTP/1.0" 200 1234 "whatever" "whatever"<cr>1.2.3.4 - -
> "GET /secret HTTP/1.0" 200 2123....
> > > all in one line (containing CR or other control characters).
> > > Because such a request would be logged in a way that would hide
> > > the information about the actual file returned (/thefile).
> > > Strictly spoken, it is a measure to protect the server against abuse.
> > >
> > > IMHO it would be a bad decision if the Apache Group would decide to
> > > directly support syntax errors in HTTP clients -- we are one of the
> > > major reference implementations for HTTP/1.1. But I copy this mail
> > > to the project management committee anyway to have them decide whether
> > > adding a configuration directive is desirable.
> >
> > We should at least match 1.3 and 2.0's behavior. 2.0, as of the latest
> > CVS, still allows HTTP-1.1 (or whatever).
> >
> > I agree that HTTP-1.1 is broken, but it is debatable whether we should
> > provide some sort of backwards compatibility. My thoughts are a
> > StrictProtocol directive that defaults to true but provides for
> > disabling the check and enabling the old behavior. In the process
> > I'll also rework the 1.3 code to avoid the use of sscanf's '%n'.
> > Votes/Comments?
> > --
> >
> ===========================================================================
> >    Jim Jagielski   [|]   jim@jaguNET.com   [|]   http://www.jaguNET.com/
> >       "A society that will trade a little liberty for a little order
> >              will lose both and deserve neither" - T.Jefferson
> >
> 


-- 
===========================================================================
   Jim Jagielski   [|]   jim@jaguNET.com   [|]   http://www.jaguNET.com/
      "A society that will trade a little liberty for a little order
             will lose both and deserve neither" - T.Jefferson

Mime
View raw message