I'm just looking for a fix to this problem. Granted that this
is a security issue specifically in this case b/c the header
turns out to be a Client Cert.
I am not sure where the bug is, my guess is it's in mod-headers
if that is the case, a plain HTTP header that is multi-line
would be corrupted
Hi
1. So whatever happened to this code?
2. Did this ever make it into Apache 2.0.44 and later?
Thanks.
--- In [EMAIL PROTECTED], Maik Mueller [EMAIL PROTECTED] wrote:
Hello Graham,
Friday, February 14, 2003, 12:17:23 PM, you wrote:
GL Looking at this further, the header value is
At 06:17 AM 2/14/2003, Graham Leggett wrote:
Maik Mueller wrote:
Putting arbitrary 8bit characters into headers makes me feel a bit uneasy
but I couldn't find a quote that this is forbidden.
Looking at this further, the header value is defined as TEXT. TEXT is defined as
OCTETs that are not
please remove my address from this mailing list as I was never asked to be put on.
Thank you
-Original Message-
From: Todd [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 18, 2003 7:56 AM
To: [EMAIL PROTECTED]
Subject: Re: Patches and Enhancements for a SSL-Proxy Based on Apache
2.0
Hello Graham,
GL I overhauled mod_headers for Apache v2.0, so I am pretty confident it is
GL a bug. I will look at it sometime this weekend.
I agree with you that breaking multiple lines with CRLF and adding HT to the
following line will fix the bug of potentially building illegal headers from
Maik Mueller wrote:
Putting arbitrary 8bit characters into headers makes me feel a bit uneasy
but I couldn't find a quote that this is forbidden.
Looking at this further, the header value is defined as TEXT. TEXT is
defined as OCTETs that are not control characters. An OCTET is an 8 bit
Hello Graham,
Friday, February 14, 2003, 12:17:23 PM, you wrote:
GL Looking at this further, the header value is defined as TEXT. TEXT is
GL defined as OCTETs that are not control characters. An OCTET is an 8 bit
GL character. As far as I can see it should be up to the entity putting
GL data
Hello Graham,
Wednesday, February 12, 2003, 12:24:47 PM, you wrote:
GL Maik Mueller wrote:
1. SSL_CLIENT_CERT produces multi-line output and the RequestHeader
directive isn't able to transfer it into a correct multi-line HTTP
header.
GL As I understand it, headers may span multiple lines
Hi Erik,
Hi Maik,
Just post it here or to the docs-list ([EMAIL PROTECTED]) as a unified
diff patch (diff -u). But please be aware, that we are generating the
whole
documentation from XML source. Therefore you should patch these instead of
the HTML files.
Yes, I have already learned that.
I
Maik Mueller wrote:
I don't consider the behavior of mod_headers as a bug.
The point is that the content of the environment variable
SSL_CLIENT_CERT isn't formatted according to the rules for folding
headers onto multiple lines.
The job of formatting the header onto multiple lines should be
Graham Leggett wrote:
Maik Mueller wrote:
I don't consider the behaviour of mod_headers as a bug.
The point is that the content of the environment variable
SSL_CLIENT_CERT isn't formatted according to the rules for folding
headers onto multiple lines.
The job of formatting the header onto
Maik Mueller wrote:
I'm neither the author of mod_headers nor can I see a bug in the current
behaviour.
I overhauled mod_headers for Apache v2.0, so I am pretty confident it is
a bug. I will look at it sometime this weekend.
You have to do both in any case. The check itself causes the
Hello All,
I want to provide updated information to my earlier described scenario using
mod_ssl + mod_proxy + mod_headers:
Component: Web Browser --- Proxy (mod_proxy) --- Web Server
SSL Role: SSL Client --- SSL server | SSL Client --- SSL Server
The following discussion
Maik Mueller wrote:
1. SSL_CLIENT_CERT produces multi-line output and the RequestHeader
directive isn't able to transfer it into a correct multi-line HTTP header.
As I understand it, headers may span multiple lines (correct me if I am
wrong). Therefore if RequestHeader isn't able to handle
Cool..
Can you please post the patch to the list, so that ppl can review the
code,
and give their comments.
-Madhu
No problem!
Here is my short README describing the patch and its history form Apache
version 2.0.43 to 2.0.44:
Hello!
This is the distribution point for the Apache 2.0 as SSL
Cool..
Can you please post the patch to the list, so that ppl can review the code,
and give their comments.
-Madhu
-Original Message-
From: Maik Mueller [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 11, 2003 11:26 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Hello All,
I want to provide updated information to my earlier described scenario using
mod_ssl + mod_proxy + mod_headers:
Component: Web Browser --- Proxy (mod_proxy) --- Web Server
SSL Role: SSL Client --- SSL server | SSL Client --- SSL Server
The following discussion
17 matches
Mail list logo