Bug#388443: apache2: MUST NOT send data in an 304 reply

[Florian Weimer <fw@deneb.enyo.de>]

>> There's many other incompliant things, like misspelled headers, a
>> script can send, but Apache doesn' stop it from doing that. It's
>> ultimately the script's responsibility.
>
> No. Sending misspelled hearders only affects the current request.
> Sending content in a situation where no content is allowed  affects the
> next request(s) [and might well be a security problem].

Do stop this attack vector, the misbehavior must be detected by the
proxy or the client.  You can't solve this problem using a trusted
server.

There's the remaining issue of multiple administration domains on a
single vhost or web server process, but I don't think you can run such
a setup without heavy patching anyway. 8-/

> No. Apache _has_ to ensure _transport_ protocol conformance as much as
> the kernel has to enshure that applications can't send IP packets once a
> socket is closed.

The downside is that if Apache unconditionally enforces protocol
compliance, it's much harder to use it for protocol testing purposes.