httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ryan Bloom" <...@covalent.net>
Subject RE: [Bug 9488] - HTTP/0.9 requests spoken on https port returns HTTP/1.0 response
Date Tue, 04 Jun 2002 00:26:18 GMT
> From: Ben Laurie [mailto:ben@algroup.co.uk]
> 
> Ryan Bloom wrote:
> >>From: Ben Laurie [mailto:ben@algroup.co.uk]
> >>
> >>Cliff Woolley wrote:
> >>
> >>>On Mon, 3 Jun 2002, Ryan Bloom wrote:
> >>>
> >>>
> >>>
> >>>>I was actually just about to look at this problem if you are busy.
> >>>
> >>>
> >>>Go for it... I'm working on something else.
> >>
> >>Perhaps its just me, but I'm amused this is considered a bug.
> >
> >
> > It's a security hole IMO.  The problem is that if you rewrite the
URL
> > .*, then the error URL that mod_ssl will be rewritten.  This means
that
> > you can serve information over HTTP that was supposed to be
restricted
> > to HTTPS.
> 
> Sorry, I don't understand this - seems like you missed a word or two
out?

Sorry, here is a real example:

RedirectMatch ^/([^/]+)?$ index.html

Now, assume that this is specified for an SSL protected virtual host, so
the only way to access this page should be through SSL.  But, now I make
an HTTP request over the SSL port.  The way mod_ssl used to handle this
case (fixed last night), was to fake a request that started with
/mod_ssl:error...  The handler would then see that URI, and send an
error page back.  The problem is that in the translate_name phase,
mod_alias redirected /mod_ssl:error to index.html.  Then, in the handler
phase, we successfully served that page.

The only good thing is that the ONLY page you can view is the one that
you redirected to, but that is still a bad thing.  Anyway, this was
solved last night by removing all of the special /mod_ssl: URIs.

Ryan





Mime
View raw message