httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555
Date Sun, 13 Dec 2009 17:59:37 GMT
On 26.11.2009 22:06, Ruediger Pluem wrote:
> 
> On 11/19/2009 04:58 PM, Joe Orton wrote:
>> On Thu, Nov 19, 2009 at 04:05:34PM +0100, Hartmut Keil wrote:
>>> With the proposed change, we prevent request splitting attacks based 
>>> on the TSL renegotiation flaw. From my point of view without 
>>> drawbacks, since 'pipelining' clients must handle the closing of a 
>>> connection after a complete response in any case.
>> Yes, I agree, this seems very sensible, I can't see any problem with 
>> this.  
>>
>> I would prefer to do it in a slightly more general way as below, which 
>> would catch the case where any other module's connection filter had 
>> buffered the data, and adds appropriate logging.
>>
>> (more general but which required half a day tracking down an obscure bug 
>> in the BIO/filters, also fixed below...)
>>
>> Testing on this version very welcome!
> 
> Anything that prevents this from committing?

Ping, Joe?

Regards

RĂ¼diger


Mime
View raw message