On Friday 13 June 2003 13:03, Robert Segall wrote:
On Friday 13 June 2003 13:49, you wrote:
Squid also has a configurable limit on the size of the request body, and the size of request headers. I think both of these offer valuable protection.
Pound also enforces a limit on the size and number of headers in a request - again quite large.
woohooo. Im looking forward to having an opportunity to try Pound.
As to the request body: that's a very different can of worms. With the addition of chunked/MIME encodings in HTTP 1.1 the only way of enforcing a size limit on the request body is to read the complete request in the proxy before passing it to the actual server. Unfortunately that exposes you to a nasty DOS attack - all an attacker needs to do is to send you one (or several - in parallel) never-ending request(s).
Im not sure how squid would handle the chunked request case. It handles the limit on non-chunked request body sizes by counting bytes, and severing the TCP connection when the counter gets too big. No buffering. I guess that would work with chunks too. (from memory, I didnt think chunked encoding was permitted for request bodies. For interoperability with http/1.0)
You may want to look at a similar attack against Apache (published about 5 months ago - google for apache and chunked encoding vulnerability).
I must have missed that one, but I dont keep up to date with apache these days. I cant see anything in Google, unless you mean this 12-month-old one. http://httpd.apache.org/info/security_bulletin_20020617.txt -- Toby Dickenson http://www.geminidataloggers.com/people/tdickenson