Bugtraq mailing list archives
Re: Apache DoS Attack
From: paulle () MICROSOFT COM (Paul Leach)
Date: Wed, 12 Aug 1998 12:32:02 -0700
Header merging is required to be compliant with HTTP/1.1. See section 4.2, <draft-ietf-http-v11-spec-03>. It is (essentially) the way of continuing headers across multiple lines.
-----Original Message----- From: Pim van Riezen [mailto:pim () WEBCITY NL] Sent: Tuesday, August 11, 1998 9:49 PM To: BUGTRAQ () NETSPACE ORG Subject: Re: Apache DoS Attack Is there any good reason for any of these programs to merge headers internally in the first place? I'm wonder because I am actually working on a webserver and noted that the code wasn't vulnerable because of the way I chose to implement header-handling (which didn't include any header-merging code). I wonder if there are any situations where a client legitimately sends two headers of the same type (in which case I would have to add header-merging code) or is this following conventions for the sake of following conventions (in which case I might feel inclined to stay lazy :-)? Input is welcome.
Current thread:
- Apache DoS Attack Jamie Orzechowski (Aug 10)
- <Possible follow-ups>
- Re: Apache DoS Attack Jonathan Freeman (Aug 11)
- Re: Apache DoS Attack Pim van Riezen (Aug 11)
- Re: Apache DoS Attack Dean Gaudet (Aug 12)
- Re: Apache DoS Attack Paul Leach (Aug 12)