httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Malte S. Stretz" <...@apache.org>
Subject Re: [PATCH] mod_cgi: Mitigating some header injections by dropping invalid headers?
Date Wed, 08 Dec 2010 14:17:03 GMT
On Monday 22 November 2010 23:25:06 I wrote:
> On Monday 18 October 2010 12:28:12 Malte S. Stretz wrote:
> > On Tuesday 12 October 2010 19:49:02 Malte S. Stretz wrote:
> > > On Tuesday 12 October 2010 18:13:46 William A. Rowe Jr. wrote:
> > > > On 10/12/2010 10:06 AM, Dirk-Willem van Gulik wrote:
> > > > > On 12 Oct 2010, at 15:30, Malte S. Stretz wrote:
> > > > >> I had a quick look at the Apache source and the solution was
> > > > >> simple: Just drop headers which contain any character
> > > > >> outside the range [a-zA-Z0-9-]. The patch against trunk is
> > > > >> attached.
> > > > > 
> > > > > This made me think of something we had a while ago; and after
> > > > > checking the logs - big +1 from me!
> > > > [...]
>
> Time flies by... :)
> 
> As it seems like an option is preferred to a workaround, here's are a
> bunch of patches.  The first implements an option (an environment
> variable map-invalid-headers) to switch on the backwards
> compatibility.  It got delayed because I didn't write any
> documentation yet.  I'll do so if it gets accepted :) [...]

Hmm, no reply yet, are there any objections/comments/questions about the 
patches?  If not, anybody with enough karma to commit?  Just asking :)

Cheers,
Malte

-- 
   

Mime
View raw message