Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 38116 invoked from network); 19 Nov 2009 16:41:48 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 19 Nov 2009 16:41:48 -0000 Received: (qmail 98664 invoked by uid 500); 19 Nov 2009 16:41:47 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 98563 invoked by uid 500); 19 Nov 2009 16:41:47 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 98554 invoked by uid 99); 19 Nov 2009 16:41:47 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Nov 2009 16:41:47 +0000 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [213.41.78.208] (HELO smtp-ft4.fr.colt.net) (213.41.78.208) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Nov 2009 16:41:35 +0000 Received: from smtp-ex1.fr.colt.net (smtp-ex1.fr.colt.net [213.41.78.194]) by smtp-ft4.fr.colt.net (8.14.3/8.14.3/Debian-5) with ESMTP id nAJGfD6Q023299 for ; Thu, 19 Nov 2009 17:41:13 +0100 Received: from host.104.92.68.195.rev.coltfrance.com ([195.68.92.104] helo=[172.30.24.37]) by smtp-ex1.fr.colt.net with esmtp (Exim) (envelope-from ) id 1NBA4J-0007Lz-0H for ; Thu, 19 Nov 2009 17:41:15 +0100 Message-ID: <4B057526.8090005@free.fr> Date: Thu, 19 Nov 2009 17:41:10 +0100 From: Jean-Marc Desperrier User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6pre) Gecko/20091116 SeaMonkey/2.0.1pre MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555 References: <4B01BD20.1060300@adnovum.ch> <20091116221903.GB18036@redhat.com> <4B027E20.2030200@adnovum.ch> <20091117130812.GB29064@redhat.com> <4B02D989.1070604@adnovum.ch> <20091119093041.GA9262@redhat.com> <4B055EBE.5090307@adnovum.ch> <20091119155854.GA25109@redhat.com> In-Reply-To: <20091119155854.GA25109@redhat.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Warning: IP [195.68.92.104] is listed at dnsbl.sorbs.net (127.0.0.10: Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?195.68.92.104) X-ACL-Warn: 1/1 recipients OK. X-Virus-Checked: Checked by ClamAV on apache.org Joe Orton wrote: > On Thu, Nov 19, 2009 at 04:05:34PM +0100, Hartmut Keil wrote: >> > [...] From my point of view without >> > drawbacks, since 'pipelining' clients must handle the closing of a >> > connection after a complete response in any case. > Yes, I agree, this seems very sensible, I can't see any problem with > this. It seems very sensible *if* it works in practice, it would be better to check with clients if they actually implement this properly. If it's so easy, I'm surprised it hasn't been done earlier, instead of that ugly solution of queuing POST requests inside a buffer (ref bug 39243)