On 11/19/2009 04:58 PM, Joe Orton wrote:
> On Thu, Nov 19, 2009 at 04:05:34PM +0100, Hartmut Keil wrote:
>> With the proposed change, we prevent request splitting attacks based
>> on the TSL renegotiation flaw. From my point of view without
>> drawbacks, since 'pipelining' clients must handle the closing of a
>> connection after a complete response in any case.
>
> Yes, I agree, this seems very sensible, I can't see any problem with
> this.
>
> I would prefer to do it in a slightly more general way as below, which
> would catch the case where any other module's connection filter had
> buffered the data, and adds appropriate logging.
>
> (more general but which required half a day tracking down an obscure bug
> in the BIO/filters, also fixed below...)
>
> Testing on this version very welcome!
Anything that prevents this from committing?
Regards
RĂ¼diger
|