httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Plüm, Rüdiger, VF-Group <ruediger.pl...@vodafone.com>
Subject Re: Broken URI-unescaping in mod_proxy
Date Thu, 13 Sep 2007 14:54:14 GMT


> -----Ursprüngliche Nachricht-----
> Von: Roy T. Fielding 
> Gesendet: Donnerstag, 13. September 2007 16:45
> An: dev@httpd.apache.org
> Betreff: Re: Broken URI-unescaping in mod_proxy
> 
> 
> On Sep 9, 2007, at 1:00 PM, Ruediger Pluem wrote:
> > On 09/09/2007 04:30 PM, Nick Kew wrote:

> >>
> >> How so?
> >
> > ProxyPass /a http://backend/
> > ProxyPass /b http://backend/
> >
> >
> > <Proxy http://backend/a>
> >        allow from someip
> >        deny from all
> > </Proxy>
> >
> > <Proxy http://backend/b>
> >        allow from someotherip
> >        deny from all
> > </Proxy>
> >
> > Request:
> >
> > GET /a/%2E%2E/b/somewhere
> > GET /a/../b/somewhere
> >
> > This allows someip to access http://backend/b/somewhere with the  
> > patch.
> > It does not without because r->uri would be /b/somewhere.
> 
> Changes to the request URI must be referred back to the client in the
> form of a redirect.  Any other choice will cause security holes in
> the request chain, somewhere.
> 
> The proxy (when acting as a proxy) must not change the URI.
> 
> The reverse proxy (gateway) is just an origin server with a
> stupid name -- it must send a redirect if it makes the above
> change to a URI.

Sorry for being confused, but what change to a URI are you
talking about? Transforming 

GET /a/../b/somewhere

into

a request for /b/somewhere?

This is the usual transformation we do also in the case we deliver
static content (without sending a redirect to /b/somewhere).


Regards

Rüdiger






Mime
View raw message