httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lars Eilebrecht <Lars.Eilebre...@unix-ag.org>
Subject RE: 1.3b3 stability
Date Fri, 12 Dec 1997 13:35:38 GMT
According to Dean Gaudet:

>  Given the almost complete lack of bug reports against 1.3 in general on
>  unix and 1.3b3 in particular I think that either:
>  
>  - nobody is testing it
>  
>  or,
>  
>  - it's actually stable and we could have a unix release candidate
>  
>  I tend to believe the latter :)

Me too, but I'm still wondering if someone can confirm the problems I
posted about fullURI problems? I wasn't able to track down the
bug (if there is one) myself.

Here's the message I already posted two times to the list...

-snip-

some days ago someone posted a message about having problems with wrong
REMOTE_HOST values... I just tested it and it appears that it is related to
the fullURI handling.

Example setup:

main server is 'server' and we have one IP-based virtual host ('proxy')
used as a proxy. ProxyRequests is turned off for the main_server
and enabled for the virtual host.

Let's look at the following requests sent from the 'client' to the
'TARGET' host/interface:


TARGET  GET                           REMOTE_HOST    REQUEST_URI
------------------------------------------------------------------------------
proxy   http://proxy/cgi-bin/printenv   client   http://proxy/cgi-bin/printenv
proxy   http://server/cgi-bin/printenv  server   /cgi-bin/printenv
server  http://proxy/cgi-bin/printenv   client   http://proxy/cgi-bin/printenv
server  http://server/cgi-bin/printenv  server   /cgi-bin/printenv


The first entry/result is correct, but all others are not...
The second entry has a wrong REMOTE_HOST. I expected to see 'proxy' instead
of 'server' as REMOTE_HOST.
The third request is processed although 'ProxyRequests Off' was set for
main_server. IMHO the request should be denied, because we haven't connected
to the 'proxy' address.
And the last entry is wrong too, because REMOTE_HOST should contain 'client'
instead of 'server'.

When I look at the access.log I see that only the second requests is
processed as a real proxy request, that is I see an access from 'client'
with the full URI and a second request from 'server' with the URI-path
(as noted above it shouldn't be 'server', but 'proxy').

For all other requests I see only one access in the logfile with 'client'
as the remote host. Note that I see 'client' in the access.log for the last
request, but REMOTE_HOST is set to 'server'. (!)

I especially see a security problem with the third example-request, because it
was handled internally although ProxyRequests was turned off for the
main_server.

Can anyone confirm this?

BTW, I tested with 1.3b3-dev.

-snap-


ciao...
-- 
Lars Eilebrecht                  - Apples have been a problem ever since eden.
sfx@unix-ag.org
http://www.si.unix-ag.org/~sfx/


Mime
View raw message