Lexa Software: Nginx-ru@sysoev.ru archive

		Apache-Talk @lexa.ru
		Inet-Admins @info.east.ru
		Filmscanners @halftone.co.uk
		Security-alerts @yandex-team.ru
		nginx-ru @sysoev.ru

СТАТЬИ

ПЕРСОНАЛЬНОЕ

ПРОГРАММЫ

ПИШИТЕ
ПИСЬМА

АРХИВ :: nginx-ru

Nginx-ru mailing list archive (nginx-ru@sysoev.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Вопрос про секурити апача через nginx

To: nginx-ru@xxxxxxxxx
Subject: Re: Вопрос про секурити апача через nginx
From: Igor Sysoev <is@xxxxxxxxxxxxx>
Date: Thu, 24 Nov 2005 22:43:18 +0300 (MSK)
In-reply-to: <025801c5e973$c1e57b40$dea583c3@crea7or>
References: <025801c5e973$c1e57b40$dea583c3@crea7or>

On Tue, 15 Nov 2005, Pavel Sokolov wrote:

А через nginx это к апачу придёт?

http://www.apache.org/dist/httpd/CHANGES_1.3

SECURITY: core: If a request contains both Transfer-Encoding and
Content-Length headers, remove the Content-Length, mitigating some
HTTP Request Splitting/Spoofing attacks.  This has no impact on
mod_proxy_http, yet affects any module which supports chunked
encoding yet fails to prefer T-E: chunked over the Content-Length
purported value.  [Paul Querna, Joe Orton]


Да, пройдёт. nginx сейчас игнорирует Transfer-Encoding.
Надо будет поправить в 0.3.12.


Игорь Сысоев
http://sysoev.ru

References:
- Вопрос про секурити апача через nginx
  - From: Pavel Sokolov

Prev by Date: rtsig
Next by Date: Re: rtsig
Previous by thread: Вопрос про секурити апача через nginx
Next by thread: nginx-0.3.10
Index(es):
- Date
- Thread