Bug #421
closedmod_proxy vulnerable to resource starvation
Description
Mod_proxy was recently changed to NOT forward the "Connection" header to the backend, since we currently rely on the server to close the connection as soon as the request finishes.
However, the header removal should be even more strict than that, if we are to assume HTTP/1.0 behaviour.
- Forwarding the "Keep-Alive" and/or "Host" header confuses some servers to go into 1.1 mode and/or keep the connection although there is no "Connection" header.
- Header comparison of "Connection" is performed in a case-sensitive style. Many webservers parse their headers in a case-INsensitive way. Therefore a user can potentially cause a DoS simply by initiating lots of connections toward a proxied URL and include a header like "connection: keep-alive" (with lower caps).
-- conny
Files
Updated by Anonymous over 18 years ago
The "stalled" state (waiting for server to close channel) is similar to the one reported in #415.
-- conny
Updated by gstrauss about 8 years ago
Submitted pull request https://github.com/lighttpd/lighttpd1.4/pull/39 to unconditionally set Connection: close with proxied HTTP/1.0 request. The client request headers Connection and Proxy-Connection were already being filtered.
Updated by stbuehler about 8 years ago
- Description updated (diff)
- Assignee deleted (
jan) - Target version set to 1.4.40
oO. It seems no one cared about the case-sensitive header comparison for a long time...
Updated by stbuehler about 8 years ago
- Status changed from New to Fixed
- % Done changed from 0 to 100
Applied in changeset r3093.
Also available in: Atom