# $Id: BlowChunks.pl,v 1.4 2002/06/22 05:27:33 cbailiff Exp $
#
# Reject chunked requests before vulnerable chunking routines can read them.
# (mod_perl version)
#
# Cris Bailiff, c.bailiff+blowchunks@devsecure.com -  http://www.awayweb.com
# http://www.devsecure.com/pub/src/BlowChunks.pl
#
# Copyright 2002 Cris Bailiff.  All rights reserved.
#
# Permission is granted to anyone to use this software for any purpose on
# any computer system, and to alter it and redistribute it, subject
# to the following restrictions:
#
# 1. The author is not responsible for the consequences of use of this
#  software, no matter how awful, even if they arise from flaws in it.
#
# 2. The origin of this software must not be misrepresented, either by
#  explicit claim or by omission. 
#
# 3. Altered versions must be plainly marked as such, and must not be
#  misrepresented as being the original software. 
#
# 4. This notice may not be removed or altered.
#
# To install in your mod_perl enabled server, copy the code below into
# your httpd.conf file (at the end is best), or read this file into
# your configuration using an 'Include' statement, and restart httpd.
#
# You need mod_perl with support for PerlPostReadRequestHandler
# and <perl> sections. You have these if your mod_perl was configured
# using EVERYTHING=1, which is typical.
#
# (Permission is granted to leave these comments out of your httpd.conf file :-)
# but please use this original version if passing along...)
#
# --cut-here---

<perl>
# blowchunks for mod_perl
# $Id: BlowChunks.pl,v 1.4 2002/06/22 05:27:33 cbailiff Exp $
# Deny requests using Transfer-Encoding: chunked
#
sub Awayweb::BlowChunks::handler {
  my $r = shift;
  if (join('',$r->headers_in->get('Transfer-Encoding'))
        =~ m/chunked/i)
  {
      $r->log->warn('Transfer-Encoding: chunked - denied and logged');
      return 400
  }
  return 0
}
</perl>
PerlPostReadRequestHandler Awayweb::BlowChunks