httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: cvs commit: apachen/src/main http_request.c
Date Thu, 08 Jan 1998 20:34:35 GMT


On Thu, 8 Jan 1998, Ben Laurie wrote:

> Dean Gaudet wrote:
> > 
> > This breaks stuff.  Consider:
> > 
> >     GET http://abcdef/foo%2fbar
> 
> Uh?

Ok consider GET http://abcdef/foo%2ebar and

<Directory proxy:http://abcdef/foo.bar>

The former will is equivalent to the latter but after Marc's change will
not be considered so.  i.e. security hole. 

(I switched the example from %2f to %2e so that we don't have to think
about %2f issues, they're special.)

Dean

> 
> > 
> > and
> > 
> >     <Directory proxy:http://abcdef/foo/bar>
> >     ...
> >     </Directory>
> > 
> > Of course, this example is already broken by doing this:
> > 
> >     GET http://abcdef:80/foo/bar
> > 
> > Or at least I think it is.
> > 
> > Perhaps we should take this time to completely blow away the "special"
> > proxy r->filename crap.  These things are URIs and should never see
> > the light of day in the filesystem code.  They're handled just fine
> > by <Location>.
> 
> doubleplusone.
> 
> Cheers,
> 
> Ben.
> 
> -- 
> Ben Laurie            |Phone: +44 (181) 735 0686|Apache Group member
> Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
> and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
> A.L. Digital Ltd,     |http://www.algroup.co.uk/Apache-SSL
> London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache
> 


Mime
View raw message