httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@gbiv.com>
Subject Re: Broken URI-unescaping in mod_proxy
Date Thu, 13 Sep 2007 15:47:13 GMT
On Sep 13, 2007, at 8:20 AM, Plüm, Rüdiger, VF-Group wrote:
>>> Sorry for being confused, but what change to a URI are you
>>> talking about? Transforming
>>>
>>> GET /a/../b/somewhere
>>>
>>> into
>>>
>>> a request for /b/somewhere?
>>>
>>> This is the usual transformation we do also in the case we deliver
>>> static content (without sending a redirect to /b/somewhere).
>>
>> We are supposed to be sending a redirect (or 403) in that case.
>> Is that not true?
>
> No. Just create a webserver with a document root and the  
> directories a and b
> below the document root containing an index.html
>
> Request
>
> GET /a/../b/index.html HTTP/1.0
>
> You will get the contents of <document root>/b/index.html directly  
> (a.k.a Status code 200)
> without any redirect. It works like this as long as I can think of.

Some bugs last longer than others, no matter how many times they are
pointed out on this list.  I am too busy to fix it this week and off
to Berlin next week, but feel free to fix it yourself.

Any transformation of the URI must result in a 403 or redirect.
The only parts of the server that should ever be allowed to
internal redirect are the storage handling routines *after* the
location has been set, and even those should redirect if the new
location has a different (better) URI.  Proxies are absolutely
forbidden from making any change to the URI -- they must forward
as is or return an error.  A reverse proxy is not a proxy.

....Roy
Mime
View raw message