On Mon, Dec 12, 2016 at 12:59 PM, Eric Covener <[email protected]> wrote:
> On Mon, Dec 12, 2016 at 1:54 PM, William A Rowe Jr <[email protected]> > wrote: > >> The problem seems to be that `Headers always set` negates the header > >> removal, and the anti-recursion check doesn't seem to be working as > >> intended. > > > > > > By removal, I'm suggesting this should happen in the http output filter > > just as we are about to transmit them. > > > > So the header will be set, then it would then be un-set, but my issue > > is that I can't find the programatic pattern for apr_table_do to > manipulate > > the elts, and even if it exists, apr_table_do will quit once the first > bad > > elt > > is found and the callback first returns 0, preventing us from reviewing > the > > remaining header lines. > > We can loop over either apr_table_do or check_headers while they're > failing, as long as you are removing 1 header each time to make > progress. > Dozens of good headers followed by dozens of bad headers sounds like a DOS vector. Probably easier if we just iterate the list ourselves and skip apr_table_do(), although this sounds like a good example for an APR 1.next enhancement later on.
