- From: Alex Rousskov <rousskov@measurement-factory.com>
- Date: Wed, 23 Jun 2004 08:43:13 -0600 (MDT)
- To: Jamie Lokier <jamie@shareable.org>
- Cc: ietf-http-wg@w3.org
On Wed, 23 Jun 2004, Jamie Lokier wrote: > Is this sort of thing commonplace? Common or not, it does happen. When a proxy writer/administrator is faced with the "but it works without a proxy!" or "but it works through XYZ proxy!" pressure, there is little she can do about them, given our overall "garbage in, compliance out" culture. > I was rather hoping to write a proxy that could at least assume the > basic lexical syntax of HTTP/1.0 and /1.1 -- so as not to forward > invalid syntax, which is a security hole -- but it appears not. A common approach is to switch to a tunnel mode for the transaction in question and terminate the connection as soon as possible. This approach follows the "first, do no harm" principle for intermediaries. As any approach within the current IT culture, it may have negative security implications. > Is there a well known of server/proxy bugs, and the workarounds needed > by a robust client/proxy in the real world, so I don't have to repeat > the research people have done before? > > (There's a fairly good list of known client bugs at apache.org, but > they don't document server/proxy bugs). Oh, they do, but in a different place: Apache bugzilla database :-). Alex.
Received on Wednesday, 23 June 2004 10:43:19 UTC