On Monday 28 November 2011, Nick Kew wrote: > On 28 Nov 2011, at 00:37, Stefan Fritsch wrote: > > Hi, > > > > while browsing a bit through Michael Zalewski's new Tangled Web > > book, I was reminded again that we are very forgiving about what > > we accept as a request. Is this really a good idea in the time > > of lots of web security issues? > > Sounds like you're thinking of something like mod_taint[1] plus a > default ruleset to ship it with?
I thought more of something that is contained in the core, aborts processing early for invalid requests, is not configurable (except maybe for a lax/strict switch) and does not reduce performance in any significant way. Not sure if a regex approach is right there. But I am not sure if doing such validation in the core is worth the effort, either.