Forwarded message: > > +1 for the directive and default setting > > :) > > david > ----- Original Message ----- > From: "Jim Jagielski" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, July 04, 2002 3:55 PM > Subject: Re: Christopher Williamson: URGENT: Bug/compatability issue in > Apache 1.3.26 > > > > Kraemer, Martin wrote: > > > > > > This test is meant against spoofing attempts (like sending > > > GET /thefile HTTP/1.0" 200 1234 "whatever" "whatever"<cr>1.2.3.4 - - > "GET /secret HTTP/1.0" 200 2123.... > > > all in one line (containing CR or other control characters). > > > Because such a request would be logged in a way that would hide > > > the information about the actual file returned (/thefile). > > > Strictly spoken, it is a measure to protect the server against abuse. > > > > > > IMHO it would be a bad decision if the Apache Group would decide to > > > directly support syntax errors in HTTP clients -- we are one of the > > > major reference implementations for HTTP/1.1. But I copy this mail > > > to the project management committee anyway to have them decide whether > > > adding a configuration directive is desirable. > > > > We should at least match 1.3 and 2.0's behavior. 2.0, as of the latest > > CVS, still allows HTTP-1.1 (or whatever). > > > > I agree that HTTP-1.1 is broken, but it is debatable whether we should > > provide some sort of backwards compatibility. My thoughts are a > > StrictProtocol directive that defaults to true but provides for > > disabling the check and enabling the old behavior. In the process > > I'll also rework the 1.3 code to avoid the use of sscanf's '%n'. > > Votes/Comments? > > -- > > > =========================================================================== > > Jim Jagielski [|] [EMAIL PROTECTED] [|] http://www.jaguNET.com/ > > "A society that will trade a little liberty for a little order > > will lose both and deserve neither" - T.Jefferson > > >
-- =========================================================================== Jim Jagielski [|] [EMAIL PROTECTED] [|] http://www.jaguNET.com/ "A society that will trade a little liberty for a little order will lose both and deserve neither" - T.Jefferson
