mod_proxy vulnerable to resource starvation
Mod_proxy was recently changed to NOT forward the "Connection" header to the backend, since we currently rely on the server to close the connection as soon as the request finishes.
However, the header removal should be even more strict than that, if we are to assume HTTP/1.0 behaviour.
- Forwarding the "Keep-Alive" and/or "Host" header confuses some servers to go into 1.1 mode and/or keep the connection although there is no "Connection" header.
- Header comparison of "Connection" is performed in a case-sensitive style. Many webservers parse their headers in a case-INsensitive way. Therefore a user can potentially cause a DoS simply by initiating lots of connections toward a proxied URL and include a header like "connection: keep-alive" (with lower caps).
Also available in: Atom