httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Plüm, Rüdiger, VF-Group <ruediger.pl...@vodafone.com>
Subject Re: Broken URI-unescaping in mod_proxy
Date Thu, 13 Sep 2007 15:20:50 GMT


> -----Ursprüngliche Nachricht-----
> Von: Roy T. Fielding 
> Gesendet: Donnerstag, 13. September 2007 17:06
> An: dev@httpd.apache.org
> Betreff: Re: Broken URI-unescaping in mod_proxy
> 
> 
> On Sep 13, 2007, at 7:54 AM, Plüm, Rüdiger, VF-Group wrote:
> >> Changes to the request URI must be referred back to the 
> client in the
> >> form of a redirect.  Any other choice will cause security holes in
> >> the request chain, somewhere.
> >>
> >> The proxy (when acting as a proxy) must not change the URI.
> >>
> >> The reverse proxy (gateway) is just an origin server with a
> >> stupid name -- it must send a redirect if it makes the above
> >> change to a URI.
> >
> > Sorry for being confused, but what change to a URI are you
> > talking about? Transforming
> >
> > GET /a/../b/somewhere
> >
> > into
> >
> > a request for /b/somewhere?
> >
> > This is the usual transformation we do also in the case we deliver
> > static content (without sending a redirect to /b/somewhere).
> 
> We are supposed to be sending a redirect (or 403) in that case.
> Is that not true?

No. Just create a webserver with a document root and the directories a and b
below the document root containing an index.html

Request

GET /a/../b/index.html HTTP/1.0

You will get the contents of <document root>/b/index.html directly (a.k.a Status code
200)
without any redirect. It works like this as long as I can think of.

Regards

Rüdiger


Mime
View raw message