httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: [PATCH] CVE-2011-3368, CVE-2011-4317, trunk
Date Thu, 19 Jan 2012 11:15:38 GMT
On Wed, Jan 18, 2012 at 11:16:18AM -0500, Jeff Trawick wrote:
> Following the thread
> http://mail-archives.apache.org/mod_mbox/httpd-dev/201112.mbox/%3CCAKUrXK4uwT%3DP1KtEziNqFdxXs%2BtyWvggzpL8x2u-Bbq8tZ-Zsw%40mail.gmail.com%3E
> and the related discussion in 2.2.x/STATUS, attached is a patch for
> trunk that implements the checking according to the following
> criteria:
> 
> * modules can handle whatever valid URIs they want in the translate_name phase
> * our modules (rewrite, proxy, alias, whatever) decline URIs they can't handle
> * core's translate_name enforces HTTP constraints on the URI,
> returning 400 otherwise

+1 to that patch, thanks a lot Jeff for following through on this.

Regards, Joe

Mime
View raw message