Not entirely sure, but probably it will shield the server. It depends
on how Apache reacts to a chunked request encoded as a HTTP/1.0
request (this is also using content-length). Without content-length
the request won't get past Squid, and Squid will set the HTTP version
to HTTP/1.0.
It will in any case surely stop all script kiddies however as these
are extremely unlikely to tailor the request in such manner that it
might get past Squid.
Regards
Henrik
On Friday 21 June 2002 21.12, Erik Lotspeich wrote:
> Hi,
>
> I'm sure that you all have read the recent announcement about
> Apache:
>
> http://www.cert.org/advisories/CA-2002-17.html
>
> My question is that if you run Squid as an HTTPD accelerator for
> Apache, will it, in essence, shield the user from the invalid
> chunked-encoding request that Apache is vulnerable to? Or will it
> proxy that request on to Apache?
>
> If my question is ignorant, then I apologize. ;)
>
> Thanks,
>
> Erik.
Received on Fri Jun 21 2002 - 15:57:44 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:45 MST