Return-Path: 
 <dev-return-30359-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 4163 invoked by uid 500); 4 Jun 2002 15:22:15 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
list-post: <mailto:dev@httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 4150 invoked from network); 4 Jun 2002 15:22:15 -0000
Reply-To: <rbb@covalent.net>
From: "Ryan Bloom" <rbb@covalent.net>
To: "'Ben Laurie'" <ben@algroup.co.uk>
Cc: <dev@httpd.apache.org>
Subject: RE: [Bug 9488]  -     HTTP/0.9 requests spoken on https port returns
 HTTP/1.0 response
Date: Mon, 3 Jun 2002 17:26:18 -0700
Organization: Covalent Technologies
Message-ID: <009101c20b5e$72131600$5600000a@KOJ>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.3416
In-Reply-To: <3CFC9339.10806@algroup.co.uk>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Importance: Normal
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

> From: Ben Laurie [mailto:ben@algroup.co.uk]
> 
> Ryan Bloom wrote:
> >>From: Ben Laurie [mailto:ben@algroup.co.uk]
> >>
> >>Cliff Woolley wrote:
> >>
> >>>On Mon, 3 Jun 2002, Ryan Bloom wrote:
> >>>
> >>>
> >>>
> >>>>I was actually just about to look at this problem if you are busy.
> >>>
> >>>
> >>>Go for it... I'm working on something else.
> >>
> >>Perhaps its just me, but I'm amused this is considered a bug.
> >
> >
> > It's a security hole IMO.  The problem is that if you rewrite the
URL
> > .*, then the error URL that mod_ssl will be rewritten.  This means
that
> > you can serve information over HTTP that was supposed to be
restricted
> > to HTTPS.
> 
> Sorry, I don't understand this - seems like you missed a word or two
out?

Sorry, here is a real example:

RedirectMatch ^/([^/]+)?$ index.html

Now, assume that this is specified for an SSL protected virtual host, so
the only way to access this page should be through SSL.  But, now I make
an HTTP request over the SSL port.  The way mod_ssl used to handle this
case (fixed last night), was to fake a request that started with
/mod_ssl:error...  The handler would then see that URI, and send an
error page back.  The problem is that in the translate_name phase,
mod_alias redirected /mod_ssl:error to index.html.  Then, in the handler
phase, we successfully served that page.

The only good thing is that the ONLY page you can view is the one that
you redirected to, but that is still a bad thing.  Anyway, this was
solved last night by removing all of the special /mod_ssl: URIs.

Ryan