httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Bannister <is...@jellybaby.net>
Subject Re: Rethinking "be liberal in what you accept"
Date Wed, 07 Nov 2012 18:26:40 GMT
On 7 Nov 2012, at 11:26, Stefan Fritsch wrote:

> considering the current state of web security, the old principle of "be liberal in what
you accept" seems increasingly inadequate for web servers. It causes lots of issues like response
splitting, header injection, cross site scripting, etc. The book "Tangled Web" by Michal Zalewski
is a good read on this topic, the chapter on HTTP is available for free download at http://nostarch.com/tangledweb
.

> If a method is not registered, bail out early.


Good idea, but it would be nice to be able to use <Limit> or <LimitExcept> to
re-allow it.

-- 
Tim Bannister – isoma@jellybaby.net


Mime
View raw message