- From: Willy Tarreau <w@1wt.eu>
- Date: Mon, 21 Jul 2014 07:46:22 +0200
- To: Roberto Peon <grmocg@gmail.com>
- Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Phil Hunt <phil.hunt@oracle.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Hi Roberto, On Sun, Jul 20, 2014 at 06:33:01PM -0700, Roberto Peon wrote: > One doesn't have to guess path + query, one only guess the query. > In some scenarios, this enhances the attacker's ability to probe. > The question is, does it do so enough for us to care. I don't see why it would be a trouble since the path is generally well known and could be considered constant. It will be retrieved from a link on a page, a location header, or will just be "/" or something like this. Willy
Received on Monday, 21 July 2014 05:50:03 UTC