httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rasmus Lerdorf <ras...@apache.org>
Subject Re: 1.3.31 regression affecting Front Page?
Date Wed, 09 Jun 2004 16:21:07 GMT
Don't see that anywhere.  Either eaten by spam filters or a gerbil.

Anyway, I don't understand why this would have broken mod_dav.  If mod_dav
wants a keepalive connection it should determine this prior to the ap_die
and set conn->keepalive to 1.  Or am I missing something with respect to
what mod_dav is doing here?  I suppose we could add an ugly exception for
a PROPFIND here, but I'd like to make sure that is actually needed.

Without this patch non-keepalive connections are not being dropped when we
know there is nothing more to do.  For example, on a server that doesn't
allow POST someone can POST to it and it will happily sit there and read
the entire POST request.  This defeats the purpose of adding a Limit POST
and introduces a DoS.  Same for a 404 or any other error handler.  I can
POST to a bogus URL and Apache will read the entire POST request even
though we know it is a 404 at this point and that we can safely discard
the request body.  I don't think releasing .32 without addressing this
issue is a good idea.

-Rasmus

On Wed, 9 Jun 2004, Jim Jagielski wrote:

> I had sent private Email to your @apache.org address
> (since that's the one you use to provide HTTPD related
> patches).
>
> On Jun 8, 2004, at 5:10 PM, Rasmus Lerdorf wrote:
>
> > Uh, I never received anything on this.  Did you actually send me
> > something?  I'll have a look at addressing this issue.  Releasing
> > 1.3.32
> > without this fix would be a nasty backwards step.  The original problem
> > this fixes is serious.
> >
> > -Rasmus
> >
> > On Fri, 28 May 2004, Jim Jagielski wrote:
> >
> >> I've backed out that patch and asked Rasmus to send a replacemnet
> >> which addresses his specific problem but does not cause
> >> the below behavior.
> >>
> >> I'm tempted to release 1.3.32...
> >>
> >> Jeff Trawick wrote:
> >>>
> >>> This patch did it:
> >>>
> >>> http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/main/
> >>> http_request.c?r1=1.173&r2=1.174
> >>>
> >>> See also
> >>>
> >>> http://issues.apache.org/bugzilla/show_bug.cgi?id=29257
> >>> http://www.rtr.com/fp2002disc/_disc2/00000a71.htm
> >>>
> >>
> >>
> >> --
> >> ======================================================================
> >> =====
> >>    Jim Jagielski   [|]   jim@jaguNET.com   [|]
> >> http://www.jaguNET.com/
> >>       "A society that will trade a little liberty for a little order
> >>              will lose both and deserve neither" - T.Jefferson
> >>
> >
> >
>

Mime
View raw message