Re: svn commit: r1582264 - in /httpd/httpd/branches/2.4.x: CHANGES modules/lua/lua_apr.c

On 03/27/2014 01:38 PM, Nick Kew wrote: > On Thu, 2014-03-27 at 13:21 +0100, Daniel Gruno wrote: > >> You can't log a warning or strip the newline; >> 1) it's a const char* so magical things will happen if you edit it(?) >> 2) we don't have a pool handy to make a new string without the newline >>

Re: svn commit: r1582264 - in /httpd/httpd/branches/2.4.x: CHANGES modules/lua/lua_apr.c

On Thu, 2014-03-27 at 13:21 +0100, Daniel Gruno wrote: > You can't log a warning or strip the newline; > 1) it's a const char* so magical things will happen if you edit it(?) > 2) we don't have a pool handy to make a new string without the newline > or log an error. > > As I said in the commit ms

Re: svn commit: r1582264 - in /httpd/httpd/branches/2.4.x: CHANGES modules/lua/lua_apr.c

On 03/27/2014 01:24 PM, Jeff Trawick wrote: > > Just remove it? > > And what about other control characters such as \r, or generally any > character/byte sequence that is not valid here? > > (My mail server is refusing my emails atm, so I'm not sure whether this gets through *crosses fingers*)

Re: svn commit: r1582264 - in /httpd/httpd/branches/2.4.x: CHANGES modules/lua/lua_apr.c

On Thu, Mar 27, 2014 at 8:21 AM, Daniel Gruno wrote: > On 03/27/2014 01:15 PM, Nick Kew wrote: > > On Thu, 2014-03-27 at 13:06 +0100, Daniel Gruno wrote: > >> FYI, I have implemented some restrictions and alterations to mod_lua, to > >> prevent HTTP Response Splitting in cases where users fail to

Re: svn commit: r1582264 - in /httpd/httpd/branches/2.4.x: CHANGES modules/lua/lua_apr.c

On Thu, Mar 27, 2014 at 8:06 AM, Daniel Gruno wrote: > FYI, I have implemented some restrictions and alterations to mod_lua, to > prevent HTTP Response Splitting in cases where users fail to properly > check their output or think mod_lua takes care of everything all by itself. > > This is not a s

Re: svn commit: r1582264 - in /httpd/httpd/branches/2.4.x: CHANGES modules/lua/lua_apr.c

On 03/27/2014 01:15 PM, Nick Kew wrote: > On Thu, 2014-03-27 at 13:06 +0100, Daniel Gruno wrote: >> FYI, I have implemented some restrictions and alterations to mod_lua, to >> prevent HTTP Response Splitting in cases where users fail to properly >> check their output or think mod_lua takes care of

Re: svn commit: r1582264 - in /httpd/httpd/branches/2.4.x: CHANGES modules/lua/lua_apr.c

On Thu, 2014-03-27 at 13:06 +0100, Daniel Gruno wrote: > FYI, I have implemented some restrictions and alterations to mod_lua, to > prevent HTTP Response Splitting in cases where users fail to properly > check their output or think mod_lua takes care of everything all by itself. Hmmm ... > > +

Re: svn commit: r1582264 - in /httpd/httpd/branches/2.4.x: CHANGES modules/lua/lua_apr.c

FYI, I have implemented some restrictions and alterations to mod_lua, to prevent HTTP Response Splitting in cases where users fail to properly check their output or think mod_lua takes care of everything all by itself. This is not a security flaw in mod_lua itself, but rather a scripting accident