httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@gbiv.com>
Subject blocking Upgrade
Date Tue, 29 Mar 2011 21:04:48 GMT
Does anyone with a working install want a quick project?

We need to block the Upgrade header field by default.  What this
will require is a new configuration command, like

   AllowUpgrade None | word ...

where word is any protocol name, like HTTP/2.0, waka, websocket, etc.
The config command must only be allowed in rsrc_conf.

We then need a check somewhere in the http filter for an incoming
request header field called "Upgrade".  If present and the config option
is set to None (or default), then remove the Upgrade field before it
is seen by the request handler (i.e., before it might be used by some
module or CGI script to send the server down a rat hole).
If the config option is set and not None, then set the Upgrade
header field-value to be the intersection of what was sent by the
client and what is allowed by the config.

Likewise, perform the same filtering on outbound responses.

In other words, only allow a handler to upgrade the connection
if it has been explicitly configured by the main server config
to be an okay thing to do.

Any takers?  If not, I'll give it a try next week when I am back
from the IETF.

....Roy

Mime
View raw message