httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: cvs commit: apachen/src/main http_request.c
Date Thu, 08 Jan 1998 21:13:47 GMT
On Thu, 8 Jan 1998, Dean Gaudet wrote:

> 
> 
> On Thu, 8 Jan 1998, Ben Laurie wrote:
> 
> > Dean Gaudet wrote:
> > > 
> > > This breaks stuff.  Consider:
> > > 
> > >     GET http://abcdef/foo%2fbar
> > 
> > Uh?
> 
> Ok consider GET http://abcdef/foo%2ebar and
> 
> <Directory proxy:http://abcdef/foo.bar>
> 
> The former will is equivalent to the latter but after Marc's change will
> not be considered so.  i.e. security hole. 

os_canonical_filename plays no part in this anyway.  It is bogus to apply
os_canonical_filename to _remote_ URLs because it is _os_; we don't know
what OS the remote runs and these aren't fs paths.

In any case, we _can't_ fully protect against this.

http://site//foo

and

http://site/foo

_could_ refer to two different documents.  It just happens that they don't
on Apache servers.  Pretending they are the same would be bogus.  That may
not be the best examples, there are others.  %-encoding is (generally) a
different case.

url variance sucks, but it is very hard to avoid allowing stuff like this
through the proxy.  How about paths with "/../" in?  Denying such things
at the proxy wouldn't be smart.

> 
> (I switched the example from %2f to %2e so that we don't have to think
> about %2f issues, they're special.)
> 
> Dean
> 
> > 
> > > 
> > > and
> > > 
> > >     <Directory proxy:http://abcdef/foo/bar>
> > >     ...
> > >     </Directory>
> > > 
> > > Of course, this example is already broken by doing this:
> > > 
> > >     GET http://abcdef:80/foo/bar
> > > 
> > > Or at least I think it is.
> > > 
> > > Perhaps we should take this time to completely blow away the "special"
> > > proxy r->filename crap.  These things are URIs and should never see
> > > the light of day in the filesystem code.  They're handled just fine
> > > by <Location>.
> > 
> > doubleplusone.
> > 
> > Cheers,
> > 
> > Ben.
> > 
> > -- 
> > Ben Laurie            |Phone: +44 (181) 735 0686|Apache Group member
> > Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
> > and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
> > A.L. Digital Ltd,     |http://www.algroup.co.uk/Apache-SSL
> > London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache
> > 
> 


Mime
View raw message