Вопрос про секурити апача через nginx
Igor Sysoev
is at rambler-co.ru
Thu Nov 24 22:43:18 MSK 2005
On Tue, 15 Nov 2005, Pavel Sokolov wrote:
> А через nginx это к апачу придёт?
>
> http://www.apache.org/dist/httpd/CHANGES_1.3
>
> SECURITY: core: If a request contains both Transfer-Encoding and
> Content-Length headers, remove the Content-Length, mitigating some
> HTTP Request Splitting/Spoofing attacks. This has no impact on
> mod_proxy_http, yet affects any module which supports chunked
> encoding yet fails to prefer T-E: chunked over the Content-Length
> purported value. [Paul Querna, Joe Orton]
Да, пройдёт. nginx сейчас игнорирует Transfer-Encoding.
Надо будет поправить в 0.3.12.
Игорь Сысоев
http://sysoev.ru
More information about the nginx-ru
mailing list