httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: mod_cgi/973: Invalid request methods are processed by CGI module as GET (fwd)
Date Thu, 07 Aug 1997 06:05:10 GMT
On Wed, 6 Aug 1997, Alexei Kosut wrote:

> On Wed, 6 Aug 1997, Marc Slemko wrote:
> 
> > Should we add something like:
> > 
> >     if (r->method_number == M_INVALID) {
> >         return DECLINED;
> >     }
> 
> No. Invalid requests are still valid. That's why the core doesn't reject
> them outright. A well-written CGI will check REQUEST_METHOD, and if it is
> not something it supports ("GET" or "POST", most likely), it will reject
> it.

Well blurg, the code is wrong:

http_protocol.c:

    else 
        r->method_number = M_INVALID; /* Will eventually croak. */

It won't necessarily eventually croak, so blah.

> 
> Apache does not process "BLAH" as if it were a GET request (to use the
> bug reporter's syntax), it processes it as if it were a BLAH request,
> which, as it is unknown, is treated as an HTTP extension method. You
> certainly can't use BLAH to get around a <Limit GET> for serving files
> from most of the modules. CGI scripts are, as per the spec, passed all
> requests to their URL. They're responsible for ensuring that things work
> out.

I can go for that.  Looking over 2068 again, I can see nothing
discouraging our behavior.

> Yes. This is definitely true. Someone should respond to the bug reporter,
> saying basically that Apache follows the CGI spec, and passes all methods
> to the CGI, it should check REQUEST_METHOD, and they should remove the
> <Limit> section if they want to ensure that the CGI is always protected.

Or they can just list all possible methods in it.  <g>

Regardless, this is a security hole.  Not in Apache but in people's config
files.  Is there any way we can deal with it?  Didn't think so.


Mime
View raw message