httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555
Date Thu, 26 Nov 2009 21:06:56 GMT


On 11/19/2009 04:58 PM, Joe Orton wrote:
> On Thu, Nov 19, 2009 at 04:05:34PM +0100, Hartmut Keil wrote:
>> With the proposed change, we prevent request splitting attacks based 
>> on the TSL renegotiation flaw. From my point of view without 
>> drawbacks, since 'pipelining' clients must handle the closing of a 
>> connection after a complete response in any case.
> 
> Yes, I agree, this seems very sensible, I can't see any problem with 
> this.  
> 
> I would prefer to do it in a slightly more general way as below, which 
> would catch the case where any other module's connection filter had 
> buffered the data, and adds appropriate logging.
> 
> (more general but which required half a day tracking down an obscure bug 
> in the BIO/filters, also fixed below...)
> 
> Testing on this version very welcome!

Anything that prevents this from committing?

Regards

RĂ¼diger


Mime
View raw message