httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@liege.ICS.UCI.EDU>
Subject Re: Apache compatibility with NCSA for %2f? (fwd)
Date Tue, 03 Dec 1996 19:42:35 GMT
> From: "Lou D. Langholtz" <ldl@cs.utah.edu>
> Organization: University of Utah
> Subject: Re: Apache compatibility with NCSA for %2f?
> 
> Still haven't heard from anyone on this. Anyone know what's the scoop?
> ie. was this to prevent a security whole, to conform to a standard, or
> just bad code? Thanks!!
> 
> Lou D. Langholtz wrote:
>> 
>> Anyone know why Apache's unescape_url(char *url) has to retun
>> BAD_REQUEST if it encounters %2f? NCSA's server just converts it to the
>> slash ('/') character.

It is to prevent a CGI security hole.  Say you had a CGI script that used
the PATH_INFO to select other files (as is the most common use for path
info), and I sent you

      script/..%2F..%2F..%2Fetc%2Fpasswd

(keeping in mind that a person can make multiple requests looking for
just the right combination).  The NCSA server (when we last tested it)
will perform its access checks before unescaping the %2F, and then provide
the script with PATH_INFO="/../../../etc/passwd".

The core Apache server protects against this for its own files, but CGI
authors are, ummm, security-challenged.  Some happily take the PATH_INFO
and open it relative to whatever their script's root document may be.

      dir/../../../etc/passwd

So, Apache does not allow %2F to be in PATH_INFO, which is a legitimate
thing to do given that the server controls the path namespace.

Now, I know that this causes problems with some scripts that depend on
receiving encoded paths (as does the a recent version of dienst, for
example).  There are two solutions for such systems:

    1) Don't use path info to pass arguments containing embedded "/"

    2) Modify Apache so that it passes-on the %2F, which technically
       violates the CGI spec and requires the script to be apache-dependent.

    3) Modify Apache so that it doesn't reject %2F, which may make your
       server a security problem.  In that case, I'd recommend continuing
       to reject any occurrence of "..%2F", since that is the main culprit.

You may forward this entire message to the newsgroup, if you like.

 ...Roy T. Fielding
    Department of Information & Computer Science    (fielding@ics.uci.edu)
    University of California, Irvine, CA 92697-3425    fax:+1(714)824-4056
    http://www.ics.uci.edu/~fielding/

Mime
View raw message