Bugtraq mailing list archives
Re: Apache DoS Attack
From: dgaudet-list-bugtraq () ARCTIC ORG (Dean Gaudet)
Date: Wed, 12 Aug 1998 15:37:59 -0700
On Tue, 11 Aug 1998, Pim van Riezen wrote:
Is there any good reason for any of these programs to merge headers internally in the first place?
The HTTP standard requires semantic equivalence between merged and unmerged forms of the headers. See RFC2068, section 4.2. So yeah, you have to think about this problem if you intend to implement the protocol... there's a few other things in the standard you should consider too ;) You'll run into it rather fast, I believe some versions of Lynx send several "Accept" headers. Apache treats headers as a single string, and it merges them as it's allowed to. The merge was O(n^2) space. It's O(n*lg(n)) time, O(n) space in our current development version. An alternative is to preparse the headers and use a linked list. This would be a large change to the Apache API, and won't be attempted in the 1.x timeframe. Dean
Current thread:
- Apache DoS Attack Jamie Orzechowski (Aug 10)
- <Possible follow-ups>
- Re: Apache DoS Attack Jonathan Freeman (Aug 11)
- Re: Apache DoS Attack Pim van Riezen (Aug 11)
- Re: Apache DoS Attack Dean Gaudet (Aug 12)
- Re: Apache DoS Attack Paul Leach (Aug 12)