On Thursday 08 November 2012, Nick Kew wrote:
> > I intended to add a directive to easily register custom methods
> > (i.e. call ap_method_register()). Do you think there is reason
> > to allow arbitrary methods, and not just a configured list of
> > allowed ones?
>
> If methods are to be activel
On Thu, 8 Nov 2012 11:18:37 +0100 (CET)
Stefan Fritsch wrote:
> On Wed, 7 Nov 2012, Tim Bannister wrote:
>
> > On 7 Nov 2012, at 11:26, Stefan Fritsch wrote:
> >> If a method is not registered, bail out early.
> >
> >
> > Good idea, but it would be nice to be able to use or
> > to re-allow it
r 7, 2012 12:26 Newsgroups: gmane.comp.apache.devel
> To: dev@httpd.apache.org
> Subject: Rethinking "be liberal in what you accept"
>
> Hi,
>
> considering the current state of web security, the old principle of "be
> liberal in what you accept" seems incr
What about mod_security, has a lot of similar checks and even more.
-Original Message-
From: Stefan Fritsch
Sent: Wednesday, November 7, 2012 12:26 Newsgroups: gmane.comp.apache.devel
To: dev@httpd.apache.org
Subject: Rethinking "be liberal in what you accept"
Hi,
consi
On Wed, 7 Nov 2012, Tim Bannister wrote:
On 7 Nov 2012, at 11:26, Stefan Fritsch wrote:
If a method is not registered, bail out early.
Good idea, but it would be nice to be able to use or to
re-allow it.
I intended to add a directive to easily register custom methods (i.e. call
ap_meth
On 7 Nov 2012, at 11:26, Stefan Fritsch wrote:
> considering the current state of web security, the old principle of "be
> liberal in what you accept" seems increasingly inadequate for web servers. It
> causes lots of issues like response splitting, header injection, cross site
> scripting, etc
On Wed, Nov 7, 2012 at 1:34 PM, Stefan Fritsch wrote:
> On Wed, 7 Nov 2012, Jim Jagielski wrote:
>
>> Certainly once mod_lua is more "production ready", we could
>> use that, couldn't we?
>
>
> One could of course. But not everyone has lua, lua is slower than C, and
> even doing it in a module ins
On Wed, 7 Nov 2012, Jim Jagielski wrote:
One could of course. But not everyone has lua, lua is slower than C, and even
doing it in a module instead of core is sometimes more work.
My response was in regards to mod_taint...
Sorry, then I misunderstood.
Cheers,
Stefan
On Nov 7, 2012, at 8:34 AM, Stefan Fritsch wrote:
> On Wed, 7 Nov 2012, Jim Jagielski wrote:
>
>> Certainly once mod_lua is more "production ready", we could
>> use that, couldn't we?
>
> One could of course. But not everyone has lua, lua is slower than C, and even
> doing it in a module inst
On Wed, 7 Nov 2012, Graham Leggett wrote:
On 07 Nov 2012, at 3:34 PM, Stefan Fritsch wrote:
One could of course. But not everyone has lua, lua is slower than C, and even doing it in a
module instead of core is sometimes more work. For example, currently we set r->protocol
to "HTTP/1.0" even
On 07 Nov 2012, at 3:34 PM, Stefan Fritsch wrote:
> One could of course. But not everyone has lua, lua is slower than C, and even
> doing it in a module instead of core is sometimes more work. For example,
> currently we set r->protocol to "HTTP/1.0" even if the original request
> contained ju
On Wed, 7 Nov 2012, Jim Jagielski wrote:
Certainly once mod_lua is more "production ready", we could
use that, couldn't we?
One could of course. But not everyone has lua, lua is slower than C, and
even doing it in a module instead of core is sometimes more work. For
example, currently we set
On Wed, 7 Nov 2012, Nick Kew wrote:
What do you think?
I've made occasional efforts in this direction in the past,
but never seen much interest in bringing such functionality
into core (as opposed to WAF).
One such: http://people.apache.org/~niq/mod_taint.html
What you proposed there was bro
Certainly once mod_lua is more "production ready", we could
use that, couldn't we?
On Nov 7, 2012, at 6:54 AM, Nick Kew wrote:
> On Wed, 7 Nov 2012 12:26:23 +0100 (CET)
> Stefan Fritsch wrote:
>
>
>> What do you think?
>
> I've made occasional efforts in this direction in the past,
> but nev
On Wed, 7 Nov 2012 12:26:23 +0100 (CET)
Stefan Fritsch wrote:
> What do you think?
I've made occasional efforts in this direction in the past,
but never seen much interest in bringing such functionality
into core (as opposed to WAF).
One such: http://people.apache.org/~niq/mod_taint.html
--
Hi,
considering the current state of web security, the old principle of "be
liberal in what you accept" seems increasingly inadequate for web servers.
It causes lots of issues like response splitting, header injection, cross
site scripting, etc. The book "Tangled Web" by Michal Zalewski is a g
16 matches
Mail list logo
