On Wed, May 22, 2013 at 2:07 PM, Graham Leggett <[email protected]> wrote:
> On 22 May 2013, at 1:48 PM, Yann Ylavic <[email protected]> wrote: > > > I am not saying that the filter should not tolerate LF only as sperator, > but that after the chunk (ie. in the BODY_CHUNK_END state) it should only > accept CRLF (or LF only) and nothing else. > > Sure, but the old filter behaved this way, and so the new filter has had > to match it exactly. We just don't know what code is out there that depends > on this behaviour. > > Well, one could inject arbitrary data in this room (with no LF), bypassing LimitRequestBody (which does not count chunks separators), and eat resources. This opens doors, as often when a protocol is not checked carefully... Regards, >
