httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: [PATCH] CVE-2011-3368, CVE-2011-4317, trunk
Date Thu, 19 Jan 2012 11:51:33 GMT
On Thu, Jan 19, 2012 at 6:15 AM, Joe Orton <jorton@redhat.com> wrote:
> On Wed, Jan 18, 2012 at 11:16:18AM -0500, Jeff Trawick wrote:
>> Following the thread
>> http://mail-archives.apache.org/mod_mbox/httpd-dev/201112.mbox/%3CCAKUrXK4uwT%3DP1KtEziNqFdxXs%2BtyWvggzpL8x2u-Bbq8tZ-Zsw%40mail.gmail.com%3E
>> and the related discussion in 2.2.x/STATUS, attached is a patch for
>> trunk that implements the checking according to the following
>> criteria:
>>
>> * modules can handle whatever valid URIs they want in the translate_name phase
>> * our modules (rewrite, proxy, alias, whatever) decline URIs they can't handle
>> * core's translate_name enforces HTTP constraints on the URI,
>> returning 400 otherwise
>
> +1 to that patch, thanks a lot Jeff for following through on this.

Thanks for looking, Joe and RĂ¼diger!

Unless I get contradictory conflicts in the short term, I'll commit to
trunk and 2.4.x, and update 2.2.x STATUS.

Mime
View raw message