On 09/29/2014 06:57 PM, Stefan Fritsch wrote: > On Monday 29 September 2014 10:07:40, Nick Kew wrote: >> Yes. It's catching potential attacks in r->headers_in. >> The rest is paranoia-mode afterthoughts: >> PATH_INFO/QUERY_STRING because they could contain something >> interesting, subprocess_env just "because it's there" (there's >> a code comment about "just to be paranoid"). > I haven't looked at the code deeply, but SERVER_PROTOCOL is one vector > for shell-shock and mod_taint does not seem to cover that. > > Of course, I would be in favor of httpd itself enforcing a sane value > for this and other variables (see strict mode in trunk), but 2.4 > doesn't. > I just want to point out that () is not the only possible string. Actually what you want to catch is something like this: ^\(.*\)
Marian
