Hacker News — vinext + Cloudflare Workers

new
past
show
ask
show
jobs
submit

▲Codex Discovered a Hidden HTTP/2 Bomb (blog.calif.io)

46 points by Yenrabbit 1 days ago | 6 comments

eqvinox 3 hours ago [-]

> We disclosed to Apache on May 27, and Stefan Eissing fixed it on the same day by making cookie headers count against LimitRequestFields.

I was about to say, the bug here isn't in the protocol, it's that memory use isn't being counted & limited as it should... and, yeah.

I'm a bit surprised this happened to Apache, though. APR uses pool allocators. That should be easy enough to track and limit...

HDBaseT 20 hours ago [-]

Not ideal.

This appears to be fixed as of April (at least for Apache). [0].

[0] - https://github.com/nginx/nginx/commit/365694160a85229a7cb006...

DiabloD3 20 hours ago [-]

After reading the article, I can conclude that Codex discovered nothing new.

This is already something that is known, and if you're able to be targeted by this (which is not the majority of users) configure your httpd differently.

swedishuser 10 hours ago [-]

Apache and nginx maintainers implemented fixes one or two days after the author reported, so how do you mean this was known already?

BobbyTables2 17 hours ago [-]

Couldn’t simple fuzzing have found this?

pixel_popping 12 hours ago [-]

Not really, as it wasn't found for close to a decade (>5 years for most webservers).

Rendered at 20:24:44 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.