On Monday 29 September 2014 10:07:40, Nick Kew wrote: > Yes. It's catching potential attacks in r->headers_in. > The rest is paranoia-mode afterthoughts: > PATH_INFO/QUERY_STRING because they could contain something > interesting, subprocess_env just "because it's there" (there's > a code comment about "just to be paranoid").
I haven't looked at the code deeply, but SERVER_PROTOCOL is one vector for shell-shock and mod_taint does not seem to cover that. Of course, I would be in favor of httpd itself enforcing a sane value for this and other variables (see strict mode in trunk), but 2.4 doesn't.
