You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Malte S. Stretz" <ms...@apache.org> on 2010/12/08 15:17:03 UTC
Re: [PATCH] mod_cgi: Mitigating some header injections by dropping invalid headers?
On Monday 22 November 2010 23:25:06 I wrote:
> On Monday 18 October 2010 12:28:12 Malte S. Stretz wrote:
> > On Tuesday 12 October 2010 19:49:02 Malte S. Stretz wrote:
> > > On Tuesday 12 October 2010 18:13:46 William A. Rowe Jr. wrote:
> > > > On 10/12/2010 10:06 AM, Dirk-Willem van Gulik wrote:
> > > > > On 12 Oct 2010, at 15:30, Malte S. Stretz wrote:
> > > > >> I had a quick look at the Apache source and the solution was
> > > > >> simple: Just drop headers which contain any character
> > > > >> outside the range [a-zA-Z0-9-]. The patch against trunk is
> > > > >> attached.
> > > > >
> > > > > This made me think of something we had a while ago; and after
> > > > > checking the logs - big +1 from me!
> > > > [...]
>
> Time flies by... :)
>
> As it seems like an option is preferred to a workaround, here's are a
> bunch of patches. The first implements an option (an environment
> variable map-invalid-headers) to switch on the backwards
> compatibility. It got delayed because I didn't write any
> documentation yet. I'll do so if it gets accepted :) [...]
Hmm, no reply yet, are there any objections/comments/questions about the
patches? If not, anybody with enough karma to commit? Just asking :)
Cheers,
Malte
--
Re: [PATCH] mod_cgi: Mitigating some header injections by dropping invalid headers?
Posted by "Malte S. Stretz" <ms...@apache.org>.
On Tuesday 28 December 2010 15:56:15 Stefan Fritsch wrote:
> On Wednesday 08 December 2010, Malte S. Stretz wrote:
> > Hmm, no reply yet, are there any objections/comments/questions
> > about the patches? If not, anybody with enough karma to
> > commit? Just asking :)
>
> I have commited the variant without separate config directive as
> r1053357, r1053363, r1053365. Thank you very much for your patch and
> your patience.
Thanks. I almost forgot about it by now :)
Cheers,
Malte
--
Re: [PATCH] mod_cgi: Mitigating some header injections by dropping invalid headers?
Posted by Stefan Fritsch <sf...@sfritsch.de>.
On Wednesday 08 December 2010, Malte S. Stretz wrote:
> Hmm, no reply yet, are there any objections/comments/questions
> about the patches? If not, anybody with enough karma to
> commit? Just asking :)
I have commited the variant without separate config directive as
r1053357, r1053363, r1053365. Thank you very much for your patch and
your patience.