Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 88375 invoked from network); 26 Nov 2009 21:07:28 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 26 Nov 2009 21:07:28 -0000 Received: (qmail 33888 invoked by uid 500); 26 Nov 2009 21:07:27 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 33814 invoked by uid 500); 26 Nov 2009 21:07:27 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 33805 invoked by uid 99); 26 Nov 2009 21:07:27 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 26 Nov 2009 21:07:26 +0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [140.211.11.9] (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with SMTP; Thu, 26 Nov 2009 21:07:24 +0000 Received: (qmail 88213 invoked by uid 2161); 26 Nov 2009 21:07:02 -0000 Received: from [192.168.2.4] (euler.heimnetz.de [192.168.2.4]) by cerberus.heimnetz.de (Postfix) with ESMTP id 3EEB72804C for ; Thu, 26 Nov 2009 22:06:57 +0100 (CET) Message-ID: <4B0EEDF0.1070902@apache.org> Date: Thu, 26 Nov 2009 22:06:56 +0100 From: Ruediger Pluem User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.23) Gecko/20090823 SeaMonkey/1.1.18 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555 References: <4B01BD20.1060300@adnovum.ch> <20091116221903.GB18036@redhat.com> <4B027E20.2030200@adnovum.ch> <20091117130812.GB29064@redhat.com> <4B02D989.1070604@adnovum.ch> <20091119093041.GA9262@redhat.com> <4B055EBE.5090307@adnovum.ch> <20091119155854.GA25109@redhat.com> In-Reply-To: <20091119155854.GA25109@redhat.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org On 11/19/2009 04:58 PM, Joe Orton wrote: > On Thu, Nov 19, 2009 at 04:05:34PM +0100, Hartmut Keil wrote: >> With the proposed change, we prevent request splitting attacks based >> on the TSL renegotiation flaw. From my point of view without >> drawbacks, since 'pipelining' clients must handle the closing of a >> connection after a complete response in any case. > > Yes, I agree, this seems very sensible, I can't see any problem with > this. > > I would prefer to do it in a slightly more general way as below, which > would catch the case where any other module's connection filter had > buffered the data, and adds appropriate logging. > > (more general but which required half a day tracking down an obscure bug > in the BIO/filters, also fixed below...) > > Testing on this version very welcome! Anything that prevents this from committing? Regards RĂ¼diger