httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 54367] New: Location header in response to PUT is not %-escaped
Date Wed, 02 Jan 2013 23:18:19 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=54367

            Bug ID: 54367
           Summary: Location header in response to PUT is not %-escaped
           Product: Apache httpd-2
           Version: 2.4.3
          Hardware: Macintosh
            Status: NEW
          Severity: major
          Priority: P2
         Component: mod_dav
          Assignee: bugs@httpd.apache.org
          Reporter: wiml@omnigroup.com
    Classification: Unclassified

The DAV PUT method returns the location of the newly created resource in the
Location: header of the response (RFC2616 14.30; RFC4918 13.1). However, Apache
does not quote the contents of the newly created path segments when
constructing the new Location: URL (RFC3986 2.4). This means that the response
can be incorrect if the underlying resource name contains octet-sequences that
are significant in URLs (such as "#" or "?") or in the HTTP protocol (such as
CRLF) or both (whitespace, etc).

Here's an example of a request and response using httpd 2.4.3 on an OS X
machine (httpd 2.2.x has the same behavior):

Request:

PUT /pdav/test%23file HTTP/1.1
Content-Length: 8
Host: localhost

Hello!

Response:

HTTP/1.1 201 Created
Date: Wed, 02 Jan 2013 22:40:00 GMT
Server: Apache/2.4.3 (Unix) OpenSSL/1.0.0j
Location: http://localhost/pdav/test#file
Content-Length: 71
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>Connection closed by foreign host.


The file is correctly created in the filesystem as "test#file", but the
Location: header in the response is incorrect.

PUTting to a URL such as ".../davcoll/foo%0A%0DBar:%20blahblah" may be a way to
perform a response splitting attack (a la
http://jeremiahgrossman.blogspot.com/2007/07/http-response-splitting-revelations.html
).

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message