On Tuesday, November 6, 2012, Stefan Fritsch wrote:
Hi,
On Sat, 21 Apr 2012, Jeff Trawick wrote:
there is the problem that if modules like mod_status or
mod_proxy_balancer are loaded, all people with permissions to create
.httaccess files can use the status pages by using SetHandler in an
Hi,
considering the current state of web security, the old principle of be
liberal in what you accept seems increasingly inadequate for web servers.
It causes lots of issues like response splitting, header injection, cross
site scripting, etc. The book Tangled Web by Michal Zalewski is a good
On Wed, 7 Nov 2012 12:26:23 +0100 (CET)
Stefan Fritsch s...@sfritsch.de wrote:
What do you think?
I've made occasional efforts in this direction in the past,
but never seen much interest in bringing such functionality
into core (as opposed to WAF).
One such:
Certainly once mod_lua is more production ready, we could
use that, couldn't we?
On Nov 7, 2012, at 6:54 AM, Nick Kew n...@webthing.com wrote:
On Wed, 7 Nov 2012 12:26:23 +0100 (CET)
Stefan Fritsch s...@sfritsch.de wrote:
What do you think?
I've made occasional efforts in this
On Wed, 7 Nov 2012, Nick Kew wrote:
What do you think?
I've made occasional efforts in this direction in the past,
but never seen much interest in bringing such functionality
into core (as opposed to WAF).
One such: http://people.apache.org/~niq/mod_taint.html
What you proposed there was
On Wed, 7 Nov 2012, Jim Jagielski wrote:
Certainly once mod_lua is more production ready, we could
use that, couldn't we?
One could of course. But not everyone has lua, lua is slower than C, and
even doing it in a module instead of core is sometimes more work. For
example, currently we set
On 07 Nov 2012, at 3:34 PM, Stefan Fritsch s...@sfritsch.de wrote:
One could of course. But not everyone has lua, lua is slower than C, and even
doing it in a module instead of core is sometimes more work. For example,
currently we set r-protocol to HTTP/1.0 even if the original request
On Wed, 7 Nov 2012, Graham Leggett wrote:
On 07 Nov 2012, at 3:34 PM, Stefan Fritsch s...@sfritsch.de wrote:
One could of course. But not everyone has lua, lua is slower than C, and even doing it in a
module instead of core is sometimes more work. For example, currently we set r-protocol
to
On Nov 7, 2012, at 8:34 AM, Stefan Fritsch s...@sfritsch.de wrote:
On Wed, 7 Nov 2012, Jim Jagielski wrote:
Certainly once mod_lua is more production ready, we could
use that, couldn't we?
One could of course. But not everyone has lua, lua is slower than C, and even
doing it in a
On Wed, 7 Nov 2012, Jim Jagielski wrote:
One could of course. But not everyone has lua, lua is slower than C, and even
doing it in a module instead of core is sometimes more work.
My response was in regards to mod_taint...
Sorry, then I misunderstood.
Cheers,
Stefan
On 7 Nov 2012, at 17:56, s...@apache.org wrote:
Author: sf
Date: Wed Nov 7 16:56:38 2012
New Revision: 1406719
URL: http://svn.apache.org/viewvc?rev=1406719view=rev
Log:
New directive HttpProtocol which allows to disable HTTP/0.9 support.
It feels wrong targeting 0.9 only, would it be
On Nov 7, 2012, at 12:05 PM, Graham Leggett minf...@sharp.fm wrote:
On 7 Nov 2012, at 17:56, s...@apache.org wrote:
Author: sf
Date: Wed Nov 7 16:56:38 2012
New Revision: 1406719
URL: http://svn.apache.org/viewvc?rev=1406719view=rev
Log:
New directive HttpProtocol which allows to
On Wed, Nov 7, 2012 at 1:34 PM, Stefan Fritsch s...@sfritsch.de wrote:
On Wed, 7 Nov 2012, Jim Jagielski wrote:
Certainly once mod_lua is more production ready, we could
use that, couldn't we?
One could of course. But not everyone has lua, lua is slower than C, and
even doing it in a
On Wed, 7 Nov 2012, Graham Leggett wrote:
On 7 Nov 2012, at 17:56, s...@apache.org wrote:
Author: sf
Date: Wed Nov 7 16:56:38 2012
New Revision: 1406719
URL: http://svn.apache.org/viewvc?rev=1406719view=rev
Log:
New directive HttpProtocol which allows to disable HTTP/0.9 support.
It feels
On 7 Nov 2012, at 11:26, Stefan Fritsch wrote:
considering the current state of web security, the old principle of be
liberal in what you accept seems increasingly inadequate for web servers. It
causes lots of issues like response splitting, header injection, cross site
scripting, etc. The
On 07 Nov 2012, at 8:12 PM, Stefan Fritsch s...@sfritsch.de wrote:
Any suggestions for a syntax? Maybe:
HttpProtocol 1.1 # only 1.1
HttpProtocol 1.0- # 1.0 and above
HttpProtocol 1.0-1.1 # 1.0 and 1.1
HttpProtocol -1.0 # 1.0 and below
We could then still add additional
On 7 Nov 2012, at 18:12, Stefan Fritsch wrote:
On Wed, 7 Nov 2012, Graham Leggett wrote:
New directive HttpProtocol which allows to disable HTTP/0.9 support.
It feels wrong targeting 0.9 only, would it be possible to do this in a
generic way, say by listing the ones accepted, or by
* Graham Leggett wrote:
On 7 Nov 2012, at 17:56, s...@apache.org wrote:
Author: sf
Date: Wed Nov 7 16:56:38 2012
New Revision: 1406719
URL: http://svn.apache.org/viewvc?rev=1406719view=rev
Log:
New directive HttpProtocol which allows to disable HTTP/0.9 support.
It feels wrong
On 07 Nov 2012, at 10:35 PM, André Malo n...@perlig.de wrote:
It feels wrong targeting 0.9 only, would it be possible to do this in a
generic way, say by listing the ones accepted, or by specifying a
minimum?
Hmm, what would be the use case? I see it with HTTP/0.9, but I don't see it
with
19 matches
Mail list logo