Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 7516 invoked from network); 23 Jun 2005 13:46:47 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 23 Jun 2005 13:46:47 -0000 Received: (qmail 82191 invoked by uid 500); 23 Jun 2005 13:46:41 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 82009 invoked by uid 500); 23 Jun 2005 13:46:40 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 81996 invoked by uid 99); 23 Jun 2005 13:46:40 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 Jun 2005 06:46:40 -0700 X-ASF-Spam-Status: No, hits=0.1 required=10.0 tests=FORGED_RCVD_HELO X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [207.155.248.31] (HELO ajax.cnchost.com) (207.155.248.31) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 Jun 2005 06:46:41 -0700 Received: from rcsv650.rowe-clan.net (c-24-13-128-132.hsd1.il.comcast.net [24.13.128.132]) by ajax.cnchost.com id JAA03727; Thu, 23 Jun 2005 09:46:37 -0400 (EDT) [ConcentricHost SMTP Relay 1.17] Errors-To: Message-Id: <6.2.1.2.2.20050623083902.09e2f700@pop3.rowe-clan.net> X-Mailer: QUALCOMM Windows Eudora Version 6.2.1.2 Date: Thu, 23 Jun 2005 08:43:55 -0500 To: dev@httpd.apache.org From: "William A. Rowe, Jr." Subject: Re: 2.1.5 available for testing In-Reply-To: References: <6.2.1.2.2.20050622145657.06df4eb0@pop3.rowe-clan.net> <20050622211223.GA4142@redhat.com> <42B9D66F.8020704@force-elite.com> <6.2.1.2.2.20050622220324.0cc106c0@pop3.rowe-clan.net> <42BA65FC.8070004@fujitsu-siemens.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N At 05:45 AM 6/23/2005, Jeff Trawick wrote: >On 6/23/05, jean-frederic clere wrote: >> William A. Rowe, Jr. wrote: >> > ++1 To Joe's comments. >> > >> > Jeff's fix is technically right, but scares the nibbles out >> > of me. If, for example, an exploit is able to inject the >> > T-E on top of the legit C-L, I really suspect we should not >> > trust the origin server at all. > >If we don't allow keepalive, then it is down to whether or not this >single request can be parsed correctly if our choice of {CL, TE} makes >sense. So close the proxy connection if C-L and T-E are returned from the origin server? That would upgrade my +.5 to +1 - I totally agree. >> > For origin servers (as opposed to clients) make this choice >> > between ignore C-L, or fail, configurable? > >try very hard to make a reasonable choice with no configuration :) >(speaking to the choir, of course) Yup - that was my concern too. >> Once the patch applied we lose the information that the request was "incorrect". >> That means we won't be able to choose in proxy between sending C-L (and dechunk) >> and T-E. > >I don't follow here. How does the backend choice of {TE, CL} affect >what we send the client? I really didn't understand that either. The RFC really doesn't offer any choice of how to interpret T-E and C-L (it states, ignore (drop) the C-L header. And we will pass the response to the client however we agreed. Bill