Am 10.08.2013 21:28, schrieb Stefan Fritsch:
> Am Freitag, 9. August 2013, 22:04:22 schrieb Joe Orton:
>> On Fri, Aug 09, 2013 at 09:14:51AM -0700, Paul Querna wrote:
>>> In this case, I don't know if any of the proposed mitigations
>>> help;
>>> I'd love to have an easy way to validate that, so
Am Freitag, 9. August 2013, 22:04:22 schrieb Joe Orton:
> On Fri, Aug 09, 2013 at 09:14:51AM -0700, Paul Querna wrote:
> > In this case, I don't know if any of the proposed mitigations
> > help;
> > I'd love to have an easy way to validate that, so we could bring
> > data to the discussion: If it
Am Samstag, 10. August 2013, 18:11:09 schrieb Dirk-Willem van Gulik:
> So the only fundamental thing we can do (i.e. if we want to go
> beyond guessing (future) browser and developer introduced
> vulnerabilities at higher layers) is a wee bit of
> padding/random*-cruft insertion in key places. Perh
On Sat, Aug 10, 2013 at 11:32 AM, Jim Jagielski wrote:
> +1... By the way, I'm working on a minor patch that works around
> that "stupid" encoding of '/' requirement...
>
Did you give any thought to bypassing the normal proxy parsing altogether?
For mod_authnz_fcgi I started by using a copy of
* Jeff Trawick wrote:
> On Fri, Aug 2, 2013 at 8:41 AM, Daniel Gruno wrote:
> >
> > I'd like to change the note to something along these lines:
> >
> > mod_lua is in a state of continuous development. Usage
> > and behavior is subject to change at any time, even between stable
> > releases o
On 10 Aug 2013, at 18:14, "Steinar H. Gunderson" wrote:
> On Sat, Aug 10, 2013 at 06:11:09PM +0200, Dirk-Willem van Gulik wrote:
>> I'd keep in mind that compression is simply an amplifier for this type of
>> attack. It makes the approach more effective. But it is not essential; when
>> you have
On Sat, Aug 10, 2013 at 06:11:09PM +0200, Dirk-Willem van Gulik wrote:
> I'd keep in mind that compression is simply an amplifier for this type of
> attack. It makes the approach more effective. But it is not essential; when
> you have in essence a largely known plaintext surrounding a short secret
On 10 Aug 2013, at 00:37, Eric Covener wrote:
> On Fri, Aug 9, 2013 at 5:24 PM, Steinar H. Gunderson
> wrote:
>> On Tue, Aug 06, 2013 at 01:32:00PM -0400, Eric Covener wrote:
>>> Another option in this neighborhood is small/varying deflate blocks.
>>> But that probably limits the usefulness of
+1... By the way, I'm working on a minor patch that works around
that "stupid" encoding of '/' requirement...
On Fri, Aug 09, 2013 at 03:51:20PM -0500, Daniel Ruggeri wrote:
> So I'm tasked with making httpd hold its own weight better against nginx
> as a reverse proxy to a local service. Unfortun
On Fri, Aug 2, 2013 at 8:41 AM, Daniel Gruno wrote:
> Hi dev@,
> Though this is mainly a question for docs@, I thought I'd drop this
> email into the dev@ list instead, since this is where I think
> objections, if there are any, will arise.
>
> Today, on various Internet channels, I have had to d
10 matches
Mail list logo
