>> There's many other incompliant things, like misspelled headers, a >> script can send, but Apache doesn' stop it from doing that. It's >> ultimately the script's responsibility. > > No. Sending misspelled hearders only affects the current request. > Sending content in a situation where no content is allowed affects the > next request(s) [and might well be a security problem].
Do stop this attack vector, the misbehavior must be detected by the proxy or the client. You can't solve this problem using a trusted server. There's the remaining issue of multiple administration domains on a single vhost or web server process, but I don't think you can run such a setup without heavy patching anyway. 8-/ > No. Apache _has_ to ensure _transport_ protocol conformance as much as > the kernel has to enshure that applications can't send IP packets once a > socket is closed. The downside is that if Apache unconditionally enforces protocol compliance, it's much harder to use it for protocol testing purposes. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
