Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 34157 invoked from network); 16 Dec 2009 16:02:04 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 16 Dec 2009 16:02:04 -0000 Received: (qmail 17551 invoked by uid 500); 16 Dec 2009 16:02:03 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 17472 invoked by uid 500); 16 Dec 2009 16:02:02 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 17460 invoked by uid 99); 16 Dec 2009 16:02:02 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 16 Dec 2009 16:02:02 +0000 X-ASF-Spam-Status: No, hits=-5.7 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_MED X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of jorton@redhat.com designates 209.132.183.28 as permitted sender) Received: from [209.132.183.28] (HELO mx1.redhat.com) (209.132.183.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 16 Dec 2009 16:02:00 +0000 Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id nBGG1cVM020049 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Wed, 16 Dec 2009 11:01:38 -0500 Received: from turnip.manyfish.co.uk (vpn-8-110.rdu.redhat.com [10.11.8.110]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id nBGG1bLp020117 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 16 Dec 2009 11:01:38 -0500 Received: from jorton by turnip.manyfish.co.uk with local (Exim 4.69) (envelope-from ) id 1NKwJk-0002yW-Ff for dev@httpd.apache.org; Wed, 16 Dec 2009 16:01:36 +0000 Date: Wed, 16 Dec 2009 16:01:36 +0000 From: Joe Orton To: dev@httpd.apache.org Subject: Re: handling request splicing in case of server initiated renegotiation CVE-2009-3555 Message-ID: <20091216160136.GA10550@redhat.com> Mail-Followup-To: dev@httpd.apache.org References: <4B01BD20.1060300@adnovum.ch> <20091116221903.GB18036@redhat.com> <4B027E20.2030200@adnovum.ch> <20091117130812.GB29064@redhat.com> <4B02D989.1070604@adnovum.ch> <20091119093041.GA9262@redhat.com> <4B055EBE.5090307@adnovum.ch> <20091119155854.GA25109@redhat.com> <4B0EEDF0.1070902@apache.org> <4B252B89.3090004@apache.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <4B252B89.3090004@apache.org> User-Agent: Mutt/1.5.20 (2009-08-17) Organization: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in UK and Wales under Company Registration No. 03798903 Directors: Michael Cunningham (USA), Brendan Lane (Ireland), Matt Parson (USA), Charlie Peters (USA) X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 On Sun, Dec 13, 2009 at 06:59:37PM +0100, Ruediger Pluem wrote: > On 26.11.2009 22:06, Ruediger Pluem wrote: > > On 11/19/2009 04:58 PM, Joe Orton wrote: > >> Yes, I agree, this seems very sensible, I can't see any problem with > >> this. > >> > >> I would prefer to do it in a slightly more general way as below, which > >> would catch the case where any other module's connection filter had > >> buffered the data, and adds appropriate logging. > >> > >> (more general but which required half a day tracking down an obscure bug > >> in the BIO/filters, also fixed below...) > >> > >> Testing on this version very welcome! > > > > Anything that prevents this from committing? > > Ping, Joe? Sorry - trying to keep too many plates spinning at the moment: Done in http://svn.apache.org/viewvc?view=revision&revision=891282 Regards, Joe