httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: workaround for encoded slashes (%2f)
Date Thu, 16 Jan 2003 16:26:53 GMT
At 10:10 AM 1/16/2003, Rodent of Unusual Size wrote:
>Rodent of Unusual Size wrote:
>>okey, here is the patch.  i have been unable to detect any
>>security flaws in my testing.  please apply and test this
>>as fixing the existing issue in a 'good enough' way until
>>a rework/redesign of the filesystem intertwingling is addressed.
>
>no negative remarks, so i'm going to assume lazy consensus in
>a couple of days and commit it into all three branches.

You've already received a number of comments, and you already know
I'm strongly opposed in principle to just tossing this security and trusting
lazy 3rd party module authors to perform this testing themselves.

For example, we've seen a number of vulnerabilities in Tomcat HTTP
connector that weren't susceptible due to the added protections of
http.

I agree that this is a conundrum to be solved.  We only disagree on 
the solution.  You are going for the straight line, while I'm arguing that
we need a stronger framework before we proceed.  Such a framework
has been suggested and that discussion is certainly not finished.

I should be able to blow some holes in the patch, but I can't do that
right now while spending so many hours vetting our coming 2.0.44
release, and I consider it more than a little gratuitous that you presume
lazy consensus on a patch that I'd vetoed in theory.  I then agreed
to give your patch the benefit of the doubt and prove up my objections
or shut up.  I need time to do so, and the veto against potentially
introducing security holes into 3rd party modules stands till I can
perform that review.  With good fortune, within a week of the release
of 2.0.44.

Bill



Mime
View raw message