Duane Wessels wrote:
>> The final line is the interesting one. For a POST request, what
>> use would a keep-alive have? Why should squid send this?
>
> Because Squid might send another HTTP request to that same server.
> Theoretically, connection persistence is entirely unrelated to
> request methods.
Theoretically yes, but there are some security implications of using
persistent connections to any request which is sent to a CGI scripts.
Most servers never check the content-length header returned by CGI
scripts so any person who is allowed to write a CGI script on the server
can theoretically inject false objects for the same server by appending
an extra HTTP reply after the object.
While I agree that this is really a security problem at the origin site,
i think it is yet another reason why we need a way to configure how and
when to use persistent connections (preferaby by using a ACL based
check).
/Henrik
Received on Tue Jul 29 2003 - 13:15:55 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:02 MST