On Fri, Sep 14, 2001 at 11:26:37AM -0700, Aaron Bannert wrote:
> If anything, this is a really minor security hole. If an attacker can
> get into your system merely by knowing the internal names/IPs or your
> servers then you are in trouble. Either do what Ryan said (for HTTP/1.0),
> or set up a virtual-host to accept the name that brought the requests
> to the firewall (really, it's just a proxy) in the first place (if you
> don't care about <HTTP/1.1 requests, which is how it works in practice).
No, this is a functional error because the browser will use the location
field to get the next request (which is not resolvable from the outside
in most cases with a firewall). Oops.
> p.s. Are "GET ... HTTP/1.0" requests allowed to return "HTTP/1.1" responses?
Yes, the server should respond the highest HTTP version it supports.
-- justin
