You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by "William A. Rowe, Jr." <wr...@rowe-clan.net> on 2005/08/08 06:37:03 UTC

Re: [patch 1.3] The http_protocol.c C-L + T-E patch

Still looking for a vote on this fix to core for 1.3, preventing
modules from seeing an invalid C-L + T-E combination from the
client per RFC 2616.  This does not apply to proxy (as implemented
now) but may affect other handlers as I noted below.  The sanest
action seems to be; adopt our 2.0 core change.

The clean patch to backport to 1.3 is at 

  http://people.apache.org/~wrowe/httpd-1.3-proto-cl-te.patch

With respect to fixes in individual modules, one should still
remember that this isn't a panacea, it's still possible for any
other invalid module to reinsert a content-length input header
at your handler before it's invoked.  But it seems worthwhile
to go ahead and fix the 80/20 with these 3 lines of code already
committed to trunk and 2.0.x.

Bill

At 04:36 PM 7/19/2005, William A. Rowe, Jr. wrote:
>At 04:11 PM 7/19/2005, Joe Orton wrote:
>>On Tue, Jul 19, 2005 at 02:59:14PM -0500, William Rowe wrote:
>>> Paul?  Joe?  Jeff?  Someone?
>>> 
>>> This is the only showstopper to a 1.3.34 candidate today, 
>>> since 1.3.x/src/modules/proxy/mod_proxy.c rejects T-E 
>>> for proxy request bodies.
>>
>>Since the 1.3 proxy already rejects such requests what does this patch 
>>actually fix?
>
>Hmmm...
>
>  mod_isapi?
>  mod_php?
>  mod_cgi?
>  mod_jk?
>
>shall I keep digging?

Re: [patch 1.3] The http_protocol.c C-L + T-E patch

Posted by Jim Jagielski <ji...@jaguNET.com>.

On Aug 8, 2005, at 12:37 AM, William A. Rowe, Jr. wrote:

> Still looking for a vote on this fix to core for 1.3, preventing
> modules from seeing an invalid C-L + T-E combination from the
> client per RFC 2616.  This does not apply to proxy (as implemented
> now) but may affect other handlers as I noted below.  The sanest
> action seems to be; adopt our 2.0 core change.
>
> The clean patch to backport to 1.3 is at
>
>   http://people.apache.org/~wrowe/httpd-1.3-proto-cl-te.patch
>

+1

Re: [patch 1.3] The http_protocol.c C-L + T-E patch

Posted by Graham Leggett <mi...@sharp.fm>.

William A. Rowe, Jr. said:

> Still looking for a vote on this fix to core for 1.3, preventing
> modules from seeing an invalid C-L + T-E combination from the
> client per RFC 2616.  This does not apply to proxy (as implemented
> now) but may affect other handlers as I noted below.  The sanest
> action seems to be; adopt our 2.0 core change.
>
> The clean patch to backport to 1.3 is at
>
>   http://people.apache.org/~wrowe/httpd-1.3-proto-cl-te.patch

+1.

Regards,
Graham
--