On 6/23/05, Jeff Trawick <[EMAIL PROTECTED]> wrote:
> On 6/23/05, William A. Rowe, Jr. <[EMAIL PROTECTED]> wrote:
> > At 05:45 AM 6/23/2005, Jeff Trawick wrote:
> > >On 6/23/05, jean-frederic clere <[EMAIL PROTECTED]> wrote:
> > >> William A. Rowe, Jr. wrote:
> > >> > ++1 To Joe's comments.
> > >> >
> > >> > Jeff's fix is technically right, but scares the nibbles out
> > >> > of me. If, for example, an exploit is able to inject the
> > >> > T-E on top of the legit C-L, I really suspect we should not
> > >> > trust the origin server at all.
> > >
> > >If we don't allow keepalive, then it is down to whether or not this
> > >single request can be parsed correctly if our choice of {CL, TE} makes
> > >sense.
> >
> > So close the proxy connection if C-L and T-E are returned from the
> > origin server? That would upgrade my +.5 to +1 - I totally agree.
>
> Cool... I'm working on a code change and a test for this...
Even with plenty of caffeine I'm lost on how to get 2.1-dev proxy to
try to keep backend connection. Some sort of configuration is now
required? Backing down to 2.0.x for now.
