httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: Broken URI-unescaping in mod_proxy
Date Thu, 13 Sep 2007 20:25:09 GMT


On 09/13/2007 05:47 PM, Roy T. Fielding wrote:
> On Sep 13, 2007, at 8:20 AM, Plüm, Rüdiger, VF-Group wrote:
>>>> Sorry for being confused, but what change to a URI are you
>>>> talking about? Transforming
>>>>
>>>> GET /a/../b/somewhere
>>>>
>>>> into
>>>>
>>>> a request for /b/somewhere?
>>>>
>>>> This is the usual transformation we do also in the case we deliver
>>>> static content (without sending a redirect to /b/somewhere).
>>>
>>> We are supposed to be sending a redirect (or 403) in that case.
>>> Is that not true?
>>
>> No. Just create a webserver with a document root and the directories a
>> and b
>> below the document root containing an index.html
>>
>> Request
>>
>> GET /a/../b/index.html HTTP/1.0
>>
>> You will get the contents of <document root>/b/index.html directly
>> (a.k.a Status code 200)
>> without any redirect. It works like this as long as I can think of.
> 
> Some bugs last longer than others, no matter how many times they are
> pointed out on this list.  I am too busy to fix it this week and off
> to Berlin next week, but feel free to fix it yourself.
> 
> Any transformation of the URI must result in a 403 or redirect.

Hm. This sounds to me like a major change in the behaviour (not doubting
that the current behaviour is wrong) which has the potential to break existing
applications. Just think of

POST /a/../cgi-bin/script.pl

A redirect here would cause the body to be swallowed and I doubt that any client
will resent the POST request with the new URI and the old body (I have not checked
if this would be the correct RFC compliant behaviour).

Regards

Rüdiger

Mime
View raw message