From: Eric Covener <covener@apache.org>
Date: Thu, 16 May 2024 17:54:35 +0000 (+0000)
Subject: add warning about behavior change
X-Git-Tag: 2.4.60-rc1-candidate~45
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=69acec3ba02630d347c67731790dd57990b5cf78;p=thirdparty%2Fapache%2Fhttpd.git

add warning about behavior change


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1917769 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 7b7b04ea388..8617b705026 100644
--- a/CHANGES
+++ b/CHANGES
@@ -17,8 +17,12 @@ Changes with Apache 2.4.59
      Server allows an attacker that can inject malicious response
      headers into backend applications to cause an HTTP
      desynchronization attack.
-     Users are recommended to upgrade to version 2.4.59, which fixes
-     this issue.
+
+     After this change, CGI-like scripts cannot set Transfer-Encoding
+     or Content-Length headers.  To restore the ability to set Content-Length
+     header, set per-request environment variable 'ap_trust_cgilike_cl' to any
+     non-empty value.
+
      Credits: Keran Mu, Tsinghua University and Zhongguancun
      Laboratory.