On 03/27/2014 01:38 PM, Nick Kew wrote:
> On Thu, 2014-03-27 at 13:21 +0100, Daniel Gruno wrote:
>
>> You can't log a warning or strip the newline;
>> 1) it's a const char* so magical things will happen if you edit it(?)
>> 2) we don't have a pool handy to make a new string without the newline
>>
On Thu, 2014-03-27 at 13:21 +0100, Daniel Gruno wrote:
> You can't log a warning or strip the newline;
> 1) it's a const char* so magical things will happen if you edit it(?)
> 2) we don't have a pool handy to make a new string without the newline
> or log an error.
>
> As I said in the commit ms
On 03/27/2014 01:24 PM, Jeff Trawick wrote:
>
> Just remove it?
>
> And what about other control characters such as \r, or generally any
> character/byte sequence that is not valid here?
>
>
(My mail server is refusing my emails atm, so I'm not sure whether this
gets through *crosses fingers*)
On Thu, Mar 27, 2014 at 8:21 AM, Daniel Gruno wrote:
> On 03/27/2014 01:15 PM, Nick Kew wrote:
> > On Thu, 2014-03-27 at 13:06 +0100, Daniel Gruno wrote:
> >> FYI, I have implemented some restrictions and alterations to mod_lua, to
> >> prevent HTTP Response Splitting in cases where users fail to
On Thu, Mar 27, 2014 at 8:06 AM, Daniel Gruno wrote:
> FYI, I have implemented some restrictions and alterations to mod_lua, to
> prevent HTTP Response Splitting in cases where users fail to properly
> check their output or think mod_lua takes care of everything all by itself.
>
> This is not a s
On 03/27/2014 01:15 PM, Nick Kew wrote:
> On Thu, 2014-03-27 at 13:06 +0100, Daniel Gruno wrote:
>> FYI, I have implemented some restrictions and alterations to mod_lua, to
>> prevent HTTP Response Splitting in cases where users fail to properly
>> check their output or think mod_lua takes care of
On Thu, 2014-03-27 at 13:06 +0100, Daniel Gruno wrote:
> FYI, I have implemented some restrictions and alterations to mod_lua, to
> prevent HTTP Response Splitting in cases where users fail to properly
> check their output or think mod_lua takes care of everything all by itself.
Hmmm ...
> > +
FYI, I have implemented some restrictions and alterations to mod_lua, to
prevent HTTP Response Splitting in cases where users fail to properly
check their output or think mod_lua takes care of everything all by itself.
This is not a security flaw in mod_lua itself, but rather a scripting
accident