httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: Can we be less forgiving about what we accept?
Date Mon, 28 Nov 2011 16:30:16 GMT
On Monday 28 November 2011, Nick Kew wrote:
> On 28 Nov 2011, at 00:37, Stefan Fritsch wrote:
> > Hi,
> > 
> > while browsing a bit through Michael Zalewski's new Tangled Web
> > book, I was reminded again that we are very forgiving about what
> > we accept as a request. Is this really a good idea in the time
> > of lots of web security issues?
> 
> Sounds like you're thinking of something like mod_taint[1] plus a
> default ruleset to ship it with?

I thought more of something that is contained in the core, aborts 
processing early for invalid requests, is not configurable (except 
maybe for a lax/strict switch) and does not reduce performance in any 
significant way. Not sure if a regex approach is right there. But I am 
not sure if doing such validation in the core is worth the effort, 
either.

Mime
View raw message