Return-Path: Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 56527 invoked by uid 500); 16 Jan 2003 16:27:08 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 56431 invoked from network); 16 Jan 2003 16:27:04 -0000 Errors-To: Message-Id: <5.2.0.9.2.20030116101927.02860190@pop3.rowe-clan.net> X-Sender: wrowe%rowe-clan.net@pop3.rowe-clan.net X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Thu, 16 Jan 2003 10:26:53 -0600 To: dev@httpd.apache.org From: "William A. Rowe, Jr." Subject: Re: workaround for encoded slashes (%2f) Cc: dev@httpd.apache.org In-Reply-To: <3E26D97D.9000606@Golux.Com> References: <3E243FBB.7010006@Golux.Com> <3E22A70B.5030000@Golux.Com> <3DBFFD6D.35D22AB9@Golux.Com> <3E22A70B.5030000@Golux.Com> <5.2.0.9.2.20030113170717.0315aec8@pop3.rowe-clan.net> <3E243E35.3070608@Golux.Com> <3E243FBB.7010006@Golux.Com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N At 10:10 AM 1/16/2003, Rodent of Unusual Size wrote: >Rodent of Unusual Size wrote: >>okey, here is the patch. i have been unable to detect any >>security flaws in my testing. please apply and test this >>as fixing the existing issue in a 'good enough' way until >>a rework/redesign of the filesystem intertwingling is addressed. > >no negative remarks, so i'm going to assume lazy consensus in >a couple of days and commit it into all three branches. You've already received a number of comments, and you already know I'm strongly opposed in principle to just tossing this security and trusting lazy 3rd party module authors to perform this testing themselves. For example, we've seen a number of vulnerabilities in Tomcat HTTP connector that weren't susceptible due to the added protections of http. I agree that this is a conundrum to be solved. We only disagree on the solution. You are going for the straight line, while I'm arguing that we need a stronger framework before we proceed. Such a framework has been suggested and that discussion is certainly not finished. I should be able to blow some holes in the patch, but I can't do that right now while spending so many hours vetting our coming 2.0.44 release, and I consider it more than a little gratuitous that you presume lazy consensus on a patch that I'd vetoed in theory. I then agreed to give your patch the benefit of the doubt and prove up my objections or shut up. I need time to do so, and the veto against potentially introducing security holes into 3rd party modules stands till I can perform that review. With good fortune, within a week of the release of 2.0.44. Bill