httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 52774] RewriteRules within outgoing proxy no longer work
Date Wed, 11 Jul 2012 12:46:34 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=52774

Eric Covener <covener@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |FixedInTrunk

--- Comment #16 from Eric Covener <covener@gmail.com> ---
(In reply to comment #15)
> (In reply to comment #14)
> > I have added a new RewriteOption, "AllowAnyURI", in r1356115 which IMO
> > resolves this issue.  Other opinions are available! :)
> 
> Doesn't mean "AllowAnyURI" option actually "allow
> CVE-2011-3368/CVE-2011-4317"?

If you write a rule that captures/substitutes unsafely, and opts into non-path
arguments, yes.

> 
> And is following statement correct?
> 
> "Declining, request-URI 'http://blahblah' is not a URL-path"
> 
> I believe http://blahblah is valid URL path.

The path is 1 component of a URL, we use the term "URL-path" for that
component.

> And what is problem with the patch I proposed? Is it vulnerable for
> CVE-2011-3368/CVE-2011-4317? I hope not.
> 
> I think I just don't understand it.. :-)

IMO it is too narrow and does not force the user to opt in to the input
sometimes not being a URL path (as it had been documented)

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message