httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: [PATCH] CVE-2011-3368, CVE-2011-4317, trunk
Date Wed, 18 Jan 2012 16:26:04 GMT


Jeff Trawick wrote:
> Following the thread
> http://mail-archives.apache.org/mod_mbox/httpd-dev/201112.mbox/%3CCAKUrXK4uwT%3DP1KtEziNqFdxXs%2BtyWvggzpL8x2u-Bbq8tZ-Zsw%40mail.gmail.com%3E
> and the related discussion in 2.2.x/STATUS, attached is a patch for
> trunk that implements the checking according to the following
> criteria:
> 
> * modules can handle whatever valid URIs they want in the translate_name phase
> * our modules (rewrite, proxy, alias, whatever) decline URIs they can't handle
> * core's translate_name enforces HTTP constraints on the URI,
> returning 400 otherwise

Sounds sensible. Looking forward to other comments :-)

Regards

RĂ¼diger

Mime
View raw message