httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: Proposed simple shell-shock protection
Date Mon, 29 Sep 2014 15:57:47 GMT
On Monday 29 September 2014 10:07:40, Nick Kew wrote:
> Yes.  It's catching potential attacks in r->headers_in.
> The rest is paranoia-mode afterthoughts:
> PATH_INFO/QUERY_STRING because they could contain something
> interesting, subprocess_env just "because it's there" (there's
> a code comment about "just to be paranoid").

I haven't looked at the code deeply, but SERVER_PROTOCOL is one vector 
for shell-shock and mod_taint does not seem to cover that.

Of course, I would be in favor of httpd itself enforcing a sane value 
for this and other variables (see strict mode in trunk), but 2.4 
doesn't.


Mime
View raw message