Here's the patch in case anyone is interested in applying it to their own
apache. I think there's probably a bug in that \n might not always be the
right thing to look for (CRLF issues), so please send me corrections ;-)
I haven't actually run this, so it might not work. But to quote Lord
Flashheart: "That's the kind of guy I am". :-)
Index: src/main/http_protocol.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/main/http_protocol.c,v
retrieving revision 1.329
diff -u -r1.329 http_protocol.c
--- src/main/http_protocol.c 3 Oct 2002 20:51:53 -0000 1.329
+++ src/main/http_protocol.c 28 Jan 2003 11:26:37 -0000
@@ -1561,8 +1561,16 @@
const char *fieldname,
const char *fieldval)
{
+ char *line_feed;
if (strcasecmp(fieldname, "ETag") == 0) {
if (ap_table_get(r->notes, "no-etag") != NULL) {
+ return 1;
+ }
+ }
+ if ((line_feed = strchr(fieldval, '\n')) != NULL) {
+ /* don't allow any headers with line feeds in them */
+ if (line_feed[1] != ' ' && line_feed[1] != '\t') {
+ /* unless it's a continuation */
return 1;
}
}
--
<!-- Matt -->
<:->get a SMart net</:->
Spam trap - do not mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
