- From: Willy Tarreau <w@1wt.eu>
- Date: Mon, 21 Jul 2014 09:53:12 +0200
- To: Roberto Peon <grmocg@gmail.com>
- Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Phil Hunt <phil.hunt@oracle.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On Mon, Jul 21, 2014 at 12:14:18AM -0700, Roberto Peon wrote: > Assuming that query params get put into the compressor, splitting the path > off means that an attacker gets to test against all of those query-parts > with a query and *any* path. I'm not sure what you mean, we're speaking about having a single :query for whatever follows the question mark, right ? If so, all the params must be tried as a single block. Willy
Received on Monday, 21 July 2014 07:56:51 UTC