On 01/16/2017 04:42 PM, Jacob Champion wrote:
Current guidance to avoid BREACH is still, AFAIK, to avoid situations
where third-party data is being sent in the same response as first-party
secrets. I don't think we have a way to know when this is happening
...though if the current response is
On 01/16/2017 04:06 PM, William A Rowe Jr wrote:
Before we push this at users.. is there a concern that brotoli
compression has similar dictionary or simply size based vulnerabilities
as deflate?
If you mean HTTP compression oracles (BREACH et al), then I would expect
*any* compression
Before we push this at users.. is there a concern that brotoli compression
has similar dictionary or simply size based vulnerabilities as deflate?
If so, maybe we teach both to step out of the way when SSL encryption
filters are in place?
On Jan 16, 2017 10:14, "Jim Jagielski"
For the most part, yes except the portions that make the header presence
optional (the HDR_MISSING case). Those were added as it came into the
code base to handle a use case I was working on. I've added some
comments inline since I won't have time to poke around myself for a
while yet.
For
Jim Jagielski writes:
> Functional patch avail... working on doccos.
>
> http://home.apache.org/~jim/patches/brotli-2.4.patch
Hi Jim,
Thank you for the backport patch.
There is, however, a potential problem with backporting mod_brotli, since
it relies on the Brotli
On 01/11/2017 10:37 AM, Luca Toscano wrote:
I still haven't found any good/clear motivation to send the FCGI_ABORT
record (just before dropping the connection), but I am probably missing
some good point or my assumptions could be wrong. Any comment or
suggestion would be really welcome :)
My
Functional patch avail... working on doccos.
http://home.apache.org/~jim/patches/brotli-2.4.patch
> On Jan 16, 2017, at 11:11 AM, Jim Jagielski wrote:
>
> Just a head's up that I am working on the backport proposal/patch
> for brotli for 2.4.x...
Let me take a look... afaict, this is a copy of what
was donated, which has been working for numerous people.
But that doesn't mean it can't have bugs ;)
> On Jan 16, 2017, at 7:20 AM, Ruediger Pluem wrote:
>
> Anyone?
>
> Regards
>
> RĂ¼diger
>
> On 01/10/2017 12:39 PM,
Just a head's up that I am working on the backport proposal/patch
for brotli for 2.4.x...
Anyone?
Regards
RĂ¼diger
On 01/10/2017 12:39 PM, Ruediger Pluem wrote:
>
>
> On 12/30/2016 03:20 PM, drugg...@apache.org wrote:
>> Author: druggeri
>> Date: Fri Dec 30 14:20:48 2016
>> New Revision: 1776575
>>
>> URL: http://svn.apache.org/viewvc?rev=1776575=rev
>> Log:
>> Merge new PROXY
On 15 Jan 2017, at 18:35, Daniel Ruggeri wrote:
>> As we *sure* we want to call it RemoteIPProxyProtocol instead
>> of just "regular" ProxyProtocol ?
>>
>> The latter just sounds and looks "more right" to me.
>
> I still like RemoteIPProxyProtocol because I also like the
11 matches
Mail list logo