https://issues.apache.org/bugzilla/show_bug.cgi?id=54367
Bug ID: 54367
Summary: Location header in response to PUT is not %-escaped
Product: Apache httpd-2
Version: 2.4.3
Hardware: Macintosh
Status: NEW
Severity: major
Priority: P2
Component: mod_dav
Assignee: bugs@httpd.apache.org
Reporter: wiml@omnigroup.com
Classification: Unclassified
The DAV PUT method returns the location of the newly created resource in the
Location: header of the response (RFC2616 14.30; RFC4918 13.1). However, Apache
does not quote the contents of the newly created path segments when
constructing the new Location: URL (RFC3986 2.4). This means that the response
can be incorrect if the underlying resource name contains octet-sequences that
are significant in URLs (such as "#" or "?") or in the HTTP protocol (such as
CRLF) or both (whitespace, etc).
Here's an example of a request and response using httpd 2.4.3 on an OS X
machine (httpd 2.2.x has the same behavior):
Request:
PUT /pdav/test%23file HTTP/1.1
Content-Length: 8
Host: localhost
Hello!
Response:
HTTP/1.1 201 Created
Date: Wed, 02 Jan 2013 22:40:00 GMT
Server: Apache/2.4.3 (Unix) OpenSSL/1.0.0j
Location: http://localhost/pdav/test#file
Content-Length: 71
Content-Type: text/html; charset=ISO-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>Connection closed by foreign host.
The file is correctly created in the filesystem as "test#file", but the
Location: header in the response is incorrect.
PUTting to a URL such as ".../davcoll/foo%0A%0DBar:%20blahblah" may be a way to
perform a response splitting attack (a la
http://jeremiahgrossman.blogspot.com/2007/07/http-response-splitting-revelations.html
).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
|