httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marian Marinov <m...@yuhu.biz>
Subject Re: Proposed simple shell-shock protection
Date Wed, 15 Oct 2014 23:38:15 GMT
On 09/29/2014 06:57 PM, Stefan Fritsch wrote:
> On Monday 29 September 2014 10:07:40, Nick Kew wrote:
>> Yes.  It's catching potential attacks in r->headers_in.
>> The rest is paranoia-mode afterthoughts:
>> PATH_INFO/QUERY_STRING because they could contain something
>> interesting, subprocess_env just "because it's there" (there's
>> a code comment about "just to be paranoid").
> I haven't looked at the code deeply, but SERVER_PROTOCOL is one vector 
> for shell-shock and mod_taint does not seem to cover that.
>
> Of course, I would be in favor of httpd itself enforcing a sane value 
> for this and other variables (see strict mode in trunk), but 2.4 
> doesn't.
>
I just want to point out that () is not the only possible string. Actually what you want to
catch is something like
this: ^\(.*\)

Marian


Mime
View raw message