Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 29554 invoked from network); 29 Mar 2011 21:05:20 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 29 Mar 2011 21:05:20 -0000 Received: (qmail 66599 invoked by uid 500); 29 Mar 2011 21:05:19 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 66537 invoked by uid 500); 29 Mar 2011 21:05:19 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 66529 invoked by uid 99); 29 Mar 2011 21:05:19 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 29 Mar 2011 21:05:19 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [208.97.132.83] (HELO homiemail-a29.g.dreamhost.com) (208.97.132.83) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 29 Mar 2011 21:05:11 +0000 Received: from homiemail-a29.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a29.g.dreamhost.com (Postfix) with ESMTP id 6F8925C8004 for ; Tue, 29 Mar 2011 14:04:51 -0700 (PDT) Received: from [192.168.222.66] (unknown [109.107.209.82]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: fielding@gbiv.com) by homiemail-a29.g.dreamhost.com (Postfix) with ESMTPSA id 03A045C8003 for ; Tue, 29 Mar 2011 14:04:50 -0700 (PDT) From: "Roy T. Fielding" Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: blocking Upgrade Date: Tue, 29 Mar 2011 23:04:48 +0200 Message-Id: <697525EE-57D4-475D-802A-E47752833665@gbiv.com> To: dev Mime-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) Does anyone with a working install want a quick project? We need to block the Upgrade header field by default. What this will require is a new configuration command, like AllowUpgrade None | word ... where word is any protocol name, like HTTP/2.0, waka, websocket, etc. The config command must only be allowed in rsrc_conf. We then need a check somewhere in the http filter for an incoming request header field called "Upgrade". If present and the config option is set to None (or default), then remove the Upgrade field before it is seen by the request handler (i.e., before it might be used by some module or CGI script to send the server down a rat hole). If the config option is set and not None, then set the Upgrade header field-value to be the intersection of what was sent by the client and what is allowed by the config. Likewise, perform the same filtering on outbound responses. In other words, only allow a handler to upgrade the connection if it has been explicitly configured by the main server config to be an okay thing to do. Any takers? If not, I'll give it a try next week when I am back from the IETF. ....Roy