Bugtraq mailing list archives

Re: Apache DoS Attack

From: paulle () MICROSOFT COM (Paul Leach)
Date: Wed, 12 Aug 1998 12:32:02 -0700


Header merging is required to be compliant with HTTP/1.1. See section 4.2,
<draft-ietf-http-v11-spec-03>. It is (essentially) the way of continuing
headers across multiple lines.

-----Original Message-----
From: Pim van Riezen [mailto:pim () WEBCITY NL]
Sent: Tuesday, August 11, 1998 9:49 PM
To: BUGTRAQ () NETSPACE ORG
Subject: Re: Apache DoS Attack

Is there any good reason for any of these programs to merge headers
internally in the first place? I'm wonder because I am
actually working
on a webserver and noted that the code wasn't vulnerable
because of the
way I chose to implement header-handling (which didn't include any
header-merging code). I wonder if there are any situations where a
client legitimately sends two headers of the same type (in
which case I
would have to add header-merging code) or is this following
conventions
for the sake of following conventions (in which case I might feel
inclined to stay lazy :-)? Input is welcome.

Current thread:

Apache DoS Attack Jamie Orzechowski (Aug 10)
- <Possible follow-ups>
- Re: Apache DoS Attack Jonathan Freeman (Aug 11)
- Re: Apache DoS Attack Pim van Riezen (Aug 11)
  - Re: Apache DoS Attack Dean Gaudet (Aug 12)
- Re: Apache DoS Attack Paul Leach (Aug 12)