On Sat, Nov 15, 2014 at 1:57 PM, Jeff Trawick <[email protected]> wrote: > > I was looking at the diffs for 2.4 and noticed some vestigial code from the > first revision; please check the attached patch to see if you agree with > some additional removals.
Agreed, I should have reverted the patch and restarted from scratch. To ease review now, I'd better revert the whole and re-commit once for both *fcgi modules, and propose this one for the CVE. > Also, my understanding is that > > * some of the code in your first revision of both modules catches potential > errors that should have been caught before, so that's an additional issue > that could be mentioned in CHANGES. You are talking about the loop-breakage after the switch() which now catches inner errors (not reverted by your patch), right? I'll propose this change separately (from the CVE commit) then. > * the one CVE should apply to both modules, and the CHANGES entry can be > grouped together. (It could in fact be the same affected application, which > supports both authentication&|authorization and response generation, using > the two modules) > > Agreed? Yes, clearly. Regarding HTTP conformance (iscntl() and parsing), everything is already there in fact, I just didn't look far enough in the chain (ap_scan_script_header_err_core_ex and finally ap_http_header_filter). We are just missing LimitResponseFieldSize now, for all proxy modules... Regards, Yann.
