alternative solution for CVE-2011-4317

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1233920 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/STATUS b/STATUS
index 1ccab684d1b00975f00e9c2552f7ff93c5c24446..eece6e924ea529b1060dfe255da8dc7427306559 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -150,9 +150,12 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
            should be much faster than a callout to strcmp.
     wrowe: Shouldn't this all simply be handled with an error result from
            apr_uri_parse?
-    trawick: leaning towards (b) with wrowe's tweak above, to let other mods
-           decide whether to handle odd URIs with core hook failing it if it got
-           that far
+    trawick: valid URIs can be used to exploit this, so apr_uri_parse() won't help
+
+    Plan (b) from mail discussion above
+      Adds trunk revision 1233604
+      2.2.x patch: http://people.apache.org/~trawick/CVE-2011-4317-2.2.x.txt
+    +1: trawick
 
   * mod_proxy: cure size_t abuse part 1, backport relevant bits of r1227856,
     Specifically normalizes ap_proxy_string_read so that the prototype