On 6/23/05, William A. Rowe, Jr. <[EMAIL PROTECTED]> wrote: > At 05:45 AM 6/23/2005, Jeff Trawick wrote: > >On 6/23/05, jean-frederic clere <[EMAIL PROTECTED]> wrote: > >> William A. Rowe, Jr. wrote: > >> > ++1 To Joe's comments. > >> > > >> > Jeff's fix is technically right, but scares the nibbles out > >> > of me. If, for example, an exploit is able to inject the > >> > T-E on top of the legit C-L, I really suspect we should not > >> > trust the origin server at all. > > > >If we don't allow keepalive, then it is down to whether or not this > >single request can be parsed correctly if our choice of {CL, TE} makes > >sense. > > So close the proxy connection if C-L and T-E are returned from the > origin server? That would upgrade my +.5 to +1 - I totally agree.
Cool... I'm working on a code change and a test for this...