httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Micha Lenk <>
Subject Re: mod_proxy, oooled backend connections and the keep-alive race condition
Date Tue, 08 Oct 2013 14:00:13 GMT
Hi Yann,

Am 03.10.2013 15:33, schrieb Yann Ylavic:
> On Thu, Oct 3, 2013 at 2:07 PM, Micha Lenk <> wrote:
> >   Independent from how the HRS issue (CVE-2005-2088) was fixed at that
> >   time, I still believe that it is a bad idea in terms of security to
> >   flush the buffer and forward its content to the backend before the
> >   *whole* request body has been received.
> mod_proxy won't forward anything before the whole request *header* is
> received (it isn't even called before), with or without my patch(es),
> and that prevent HRS provided the httpd checks
> Content-Length/Transfer-Encoding against
> (which is the case, at least in trunk).
> mod_proxy will also prevent HRS by checking that the received data do
> not exceed the announced size, again my patch(es) don't change that.

Well, assessing HRS alike issues, you need to not only look at the first
HTTP request, but more importantly at a possible subsequent HTTP request
sent on the same connection. So, if you flush the buffer and forward its
content to the backend, you need to make sure to not accidentally
forwarding the next request without parsing it. That is all I wanted to
stress when talking about a potential HRS issue.

> It currently prefetches 16K of the body (if any) and forwards that and
> everything after to the backend from there, it won't retain the
> "*whole*" body unless one plays with the "proxy-sendcl" env.

If this is the same behavior as with current unpatched httpd, I am fine
with it. But then I guess this behavior is unrelated to your patch, right?

> Do you mean you always setenv "proxy-sendcl" to force mod_proxy in
> full-fetching mode because of security issues ?


> I'm not sure what changes you are talking about, though.
> Is it about the "flushall" or the "prefetch before connect" patch ?

It is about the "flushall" patch.


View raw message