On Tue, Mar 02, 2010 at 04:01:29AM -0000, William Rowe wrote: > Author: wrowe > Date: Tue Mar 2 04:01:29 2010 > New Revision: 917867 > > URL: http://svn.apache.org/viewvc?rev=917867&view=rev > Log: > Ensure each subrequest has a shallow copy of headers_in so that the > parent request headers are not corrupted. Eliminates a problematic > optimization in the case of no request body. > > PR: 48359 > Submitted by: Jake Scott, wrowe, rpluem > Backports: server/protocol.c r901578 > Reviewed by: minfrin
There is some discussion on the PR (and previously on security@) about the potential security impact to this - the argument being that in a threaded server, memory re-use could lead to an information leak of request/response data from another thread. This seems like a borderline case, but we should assign a CVE name - Mark, can you assign one? Regards, Joe
