Bug#388443: apache2: MUST NOT send data in an 304 reply
>> There's many other incompliant things, like misspelled headers, a
>> script can send, but Apache doesn' stop it from doing that. It's
>> ultimately the script's responsibility.
> No. Sending misspelled hearders only affects the current request.
> Sending content in a situation where no content is allowed affects the
> next request(s) [and might well be a security problem].
Do stop this attack vector, the misbehavior must be detected by the
proxy or the client. You can't solve this problem using a trusted
There's the remaining issue of multiple administration domains on a
single vhost or web server process, but I don't think you can run such
a setup without heavy patching anyway. 8-/
> No. Apache _has_ to ensure _transport_ protocol conformance as much as
> the kernel has to enshure that applications can't send IP packets once a
> socket is closed.
The downside is that if Apache unconditionally enforces protocol
compliance, it's much harder to use it for protocol testing purposes.