From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Status: No, score=-3.8 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.0 Received: from mail-qk0-f183.google.com (mail-qk0-f183.google.com [209.85.220.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 8B58020229 for ; Wed, 2 Nov 2016 00:11:56 +0000 (UTC) Received: by mail-qk0-f183.google.com with SMTP id y205sf29234qkb.0 for ; Tue, 01 Nov 2016 17:11:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20120806; h=sender:date:from:to:subject:message-id:references:mime-version :content-disposition:in-reply-to:x-original-sender :x-original-authentication-results:reply-to:precedence:mailing-list :list-id:x-spam-checked-in-group:list-post:list-help:list-archive :list-subscribe:list-unsubscribe; bh=yJvNlBwUtqDGDMFRXpNhwHpPJFodt012/TEXBONje5I=; b=QFyP7CdXY2KXokAtiyh/jZnEwFOV4uHKXBKQHWCZ9V5pFaKwrNOEH80ydLlFbSVkaI FF4elgpfhr2wuc4BEa0KKLUcl7z/JcgCYaUccmGe9Ki3orDS9kmKI0iYOTgp8zDLjsh7 DP9K7tY1rjeBQqP5lnr4fwoil3p5PNoaQkUj7Uw0g7XaYwBk6AjbSZRNJItlF56fxgaM IKhGS6xUkUFS1Gq3UPRUR0VO0Gb+I9zbuiy3dCqggWGJu7WrgEvyxuP7G/wmNk4Oekfs XjiFyFFmwWkUdyjNG581yE3ZhjADA5Nqg5NdhWrVzIG9tXHOsr07Gbl7K2CtSoCSapMH BFcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=sender:x-gm-message-state:date:from:to:subject:message-id :references:mime-version:content-disposition:in-reply-to :x-original-sender:x-original-authentication-results:reply-to :precedence:mailing-list:list-id:x-spam-checked-in-group:list-post :list-help:list-archive:list-subscribe:list-unsubscribe; bh=yJvNlBwUtqDGDMFRXpNhwHpPJFodt012/TEXBONje5I=; b=jYyL0gR4WV+l8bceP88pkiMq8LUsFDNHLs3fmy2f9mb4LB5GOT11kT/QqWH/S33mle rGpuRjLYmyNG9cO/7rHM8NYp53OEHwm5M3dPS7gqOBYh4Ql9fcpA8d5jJgUOLUL7LIXl dngTzMOqa+tPGhZ7uCh3Adbvs6XthwRNvIm3y1/OzaEhaq+AG7RyZOYLXUL2nmY9n7RX GlzneO7PdYXAPYDedi8TJDPQ18ntbjVELqGpPvDeHS26jfIiarpUo85ADTepxN++3cH+ QwvoZ3fTFW2O5sRTzA2fD+c1Bgda7FRym0qHlYP3ExvUU18PalIIjuVvLHf0koktc8+K 9www== Sender: rack-devel@googlegroups.com X-Gm-Message-State: ABUngvcN9AfYP00m/JOjtfkCLGUZdK8uHBX9I6ojKk+hNT2t7jR9VClHt1xuZkNWACfc2g== X-Received: by 10.36.127.205 with SMTP id r196mr36118itc.4.1478045515811; Tue, 01 Nov 2016 17:11:55 -0700 (PDT) X-BeenThere: rack-devel@googlegroups.com Received: by 10.107.53.225 with SMTP id k94ls3568320ioo.21.gmail; Tue, 01 Nov 2016 17:11:54 -0700 (PDT) X-Received: by 10.36.124.2 with SMTP id a2mr637253itd.8.1478045514891; Tue, 01 Nov 2016 17:11:54 -0700 (PDT) Received: from dcvr.yhbt.net (dcvr.yhbt.net. [64.71.152.64]) by gmr-mx.google.com with ESMTPS id qv3si8305134pab.2.2016.11.01.17.11.54 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 01 Nov 2016 17:11:54 -0700 (PDT) Received-SPF: pass (google.com: domain of e@80x24.org designates 64.71.152.64 as permitted sender) client-ip=64.71.152.64; Received: from localhost (dcvr.yhbt.net [127.0.0.1]) by dcvr.yhbt.net (Postfix) with ESMTP id E774E20229; Wed, 2 Nov 2016 00:11:53 +0000 (UTC) Date: Wed, 2 Nov 2016 00:11:53 +0000 From: Eric Wong To: rack-devel@googlegroups.com Subject: Re: [PATCH] webrick: detect partial hijack without hash headers Message-ID: <20161102001153.GA10317@starla> References: <20160511050451.GA23544@dcvr.yhbt.net> <20160512022814.GA8332@dcvr.yhbt.net> <20160512023154.GB8332@dcvr.yhbt.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline In-Reply-To: <20160512023154.GB8332@dcvr.yhbt.net> X-Original-Sender: e@80x24.org X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of e@80x24.org designates 64.71.152.64 as permitted sender) smtp.mailfrom=e@80x24.org Reply-To: rack-devel@googlegroups.com Precedence: list Mailing-list: list rack-devel@googlegroups.com; contact rack-devel+owners@googlegroups.com List-ID: X-Google-Group-Id: 486215384060 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , Eric Wong wrote: > Response headers need not be a hash according to SPEC, > so grab the io_lambda the first time we iterate through > the headers and avoid an extra hash lookup. > --- > This is related to (but applies independently of) my lint > clarification for case-sensitivity. > > The following changes since commit 9073125f71afd615091f575d74ec468a0b1b79bf: > > bumping version (2016-05-06 15:51:18 -0500) > > are available in the git repository at: > > git://80x24.org/rack.git webrick-header-each > > for you to fetch changes up to 2c95a6e5bc18ac860ec0f7f7614ffb4aa6ad817d: > > webrick: detect partial hijack without hash headers (2016-05-12 02:23:48 +0000) Ping? I just got bitten by this. -- --- You received this message because you are subscribed to the Google Groups "Rack Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to rack-devel+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/d/optout.