Zvi and all,
I have mixed thoughts about the whole thing. There are two sides to
the story.
1. mod_proxy is RFC compliant - So why break apache to accommodate M$'s
lack of ability to read and implement a standard that was published in
June 1999? Yesterday I was talking to an MCS consultant and he said,
"well that standard is so old!" I responded with, "yeah .. three years
and MS still hasn't had time to read it." :) I was laughing, he wasn't.
:)
2. There are a LOT of IIS servers on the Internet - So until EVERY ONE
of them is patched this will be a problem for folks using apache as a
proxy/cache. I was considering reworking the previous patch (yours and
mine, very similar) to incorporate *ALL* of the entity-headers in
section 7.1 to insulate against contamination via IIS servers into the
apache proxy. Unfortunately, as I previously stated, there are a *TON*
(tm) of IIS servers on the Internet. Until they are *ALL* patched,
assuming such a patch exists or is created, we are all at risk. I
really consider this type of patch to be a defensive patch for
mod_proxy, more than anything else.
Thoughts?
I'd like to thank Graham for sending me down the path to solution.
Geff
