Hi Yann, Am 01.10.2013 17:08, schrieb Yann Ylavic: > As far as I understand the issue, the main point of prefetch was to fix > CVE-2005-2088, a HTTP Request Smuggling attack (see also > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2088). > > This is discussed in PR40029 and is not related to HRS, the real fix > regarding HRS was about both CL/TE sent by th client > (https://issues.apache.org/bugzilla/show_bug.cgi?id=40029#c4).
Independent from how the HRS issue (CVE-2005-2088) was fixed at that time, I still believe that it is a bad idea in terms of security to flush the buffer and forward its content to the backend before the *whole* request body has been received. At least I would recommend to carefully review this change to make sure you don't create a new security issue similar to the HRS issue. Regards, Micha
