httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 10775] - SCRIPT_NAME wrong value
Date Sat, 10 Aug 2002 05:20:23 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10775>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10775

SCRIPT_NAME wrong value





------- Additional Comments From mjd-apache-bugzilla+@plover.com  2002-08-10 05:20 -------
The normalized value is assigned to r->path_info
during the call to ap_directory_walk.  ap_directory_walk contains the following
comment:

    /* XXX Notice that this forces path_info to be canonical.  That might
     * not be desired by all apps. ...

It would appear that any application that depends on the PATH_INFO from a uri
such as 'http://www.plover.com/cgi-bin/myprogram/http://some.other.url/' 
falls into the category of "an app that does not desire this behavior."

But there is still a bug, because ap_find_path_info assumes that the
tails of the r->path_info and r->uri will match, and they don't,
because the path_info was canonicalized in ap_directory_walk, but the
r->uri was not canonicalized.  

The ap_directory_walk comment cited above continues:

	...  However, some of those same apps likely
     * have significant security holes.
     */

I believe this is referring to apps that might be invoked as
http://perl.plover.com/cgi-bin/myapp/../../../../../../../../../etc/passwd.
Canonicalizing this path may well save 'myapp' from a severe security
problem.  However, compressing repeated slashes from the path_info
does not appear to have any analogous security benefit.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message