https://issues.apache.org/bugzilla/show_bug.cgi?id=48204
Joe Orton <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX --- Comment #6 from Joe Orton <[email protected]> 2009-11-16 05:49:33 UTC --- 1) I'm surprised that patch has any effect; if it does, surely it is due to timing of the receipt of the app-data packets comprising the victim's request by the server, which is under the control of the attacker? 2) I can't see how discarding data at this point is a good idea - if you presume the connection is under active attack in that code path, the only sane course of action is to log that and close the connection, right? If you don't presume the connection is under active attack then discarding bytes is going to cause some weird and wonderful failure modes. I think it'd be better to discuss this on d...@httpd to get a wider audience. Could you start a thread there, maybe with some packet traces or similar to outline how this would work? -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
