On Jun 15, 2015 1:26 PM, "Graham Leggett" <minf...@sharp.fm> wrote: > > On 15 Jun 2015, at 7:00 PM, Jeff Trawick <traw...@gmail.com> wrote: > > > 1.3 (or 1.3-based servers) put whitespace there. > > 1.3.x, 2.0.x, 2.2.x, and 2.4.x (for all released x so far) accepts whitespace there. > > We can't change that by default in a stable branch. > > +1. > > We need to be liberal in what we accept. I don’t even think a “strict” mode serves much purpose.
That 'thinking' by many server authors created the stack of CVE-2005 issues identified by Watchfire as low, medium and worse severities. This is not metadata. It is transport-layer data. And we have precedent for closing vulnerabilities in 2005, and the several SSL vendors have done similar. That said, httpd 2 has always done the right thing with respect to not passing hop-by-hop data verbatim. So we are in a bit better position than some, and this mitigates the surface area of the attack. The recent enhancements to further protect from split requests is also reassuring.