On 6/23/05, William A. Rowe, Jr. <[EMAIL PROTECTED]> wrote:
> At 05:45 AM 6/23/2005, Jeff Trawick wrote:
> >On 6/23/05, jean-frederic clere <[EMAIL PROTECTED]> wrote:
> >> William A. Rowe, Jr. wrote:
> >> > ++1 To Joe's comments.
> >> >
> >> > Jeff's fix is technically right, but scares the nibbles out
> >> > of me. If, for example, an exploit is able to inject the
> >> > T-E on top of the legit C-L, I really suspect we should not
> >> > trust the origin server at all.
> >
> >If we don't allow keepalive, then it is down to whether or not this
> >single request can be parsed correctly if our choice of {CL, TE} makes
> >sense.
>
> So close the proxy connection if C-L and T-E are returned from the
> origin server? That would upgrade my +.5 to +1 - I totally agree.
Cool... I'm working on a code change and a test for this...
