[7645] in bugtraq
Re: Apache DoS Attack
daemon@ATHENA.MIT.EDU (Paul Leach)
Wed Aug 12 19:30:29 1998
Date: Wed, 12 Aug 1998 12:32:02 -0700
Reply-To: Paul Leach <paulle@MICROSOFT.COM>
From: Paul Leach <paulle@MICROSOFT.COM>
X-To: "pim@WEBCITY.NL" <pim@WEBCITY.NL>
To: BUGTRAQ@NETSPACE.ORG
Header merging is required to be compliant with HTTP/1.1. See section 4.2,
<draft-ietf-http-v11-spec-03>. It is (essentially) the way of continuing
headers across multiple lines.
> -----Original Message-----
> From: Pim van Riezen [mailto:pim@WEBCITY.NL]
> Sent: Tuesday, August 11, 1998 9:49 PM
> To: BUGTRAQ@NETSPACE.ORG
> Subject: Re: Apache DoS Attack
>
> Is there any good reason for any of these programs to merge headers
> internally in the first place? I'm wonder because I am
> actually working
> on a webserver and noted that the code wasn't vulnerable
> because of the
> way I chose to implement header-handling (which didn't include any
> header-merging code). I wonder if there are any situations where a
> client legitimately sends two headers of the same type (in
> which case I
> would have to add header-merging code) or is this following
> conventions
> for the sake of following conventions (in which case I might feel
> inclined to stay lazy :-)? Input is welcome.
>
