Header merging is required to be compliant with HTTP/1.1. See section 4.2, <draft-ietf-http-v11-spec-03>. It is (essentially) the way of continuing headers across multiple lines. > -----Original Message----- > From: Pim van Riezen [mailto:pimat_private] > Sent: Tuesday, August 11, 1998 9:49 PM > To: BUGTRAQat_private > Subject: Re: Apache DoS Attack > > Is there any good reason for any of these programs to merge headers > internally in the first place? I'm wonder because I am > actually working > on a webserver and noted that the code wasn't vulnerable > because of the > way I chose to implement header-handling (which didn't include any > header-merging code). I wonder if there are any situations where a > client legitimately sends two headers of the same type (in > which case I > would have to add header-merging code) or is this following > conventions > for the sake of following conventions (in which case I might feel > inclined to stay lazy :-)? Input is welcome. >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:12:24 PDT