httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: Broken URI-unescaping in mod_proxy
Date Thu, 13 Sep 2007 20:56:07 GMT

On Sep 13, 2007, at 12:30 PM, Nick Kew wrote:

> On Thu, 13 Sep 2007 07:45:06 -0700
> "Roy T. Fielding" <fielding@gbiv.com> wrote:
>
>> Changes to the request URI must be referred back to the client in the
>> form of a redirect.  Any other choice will cause security holes in
>> the request chain, somewhere.
>
> Mapping URLs internally is the server's business.
> Mapping /a/../b/foo to /b/foo is a change of URL if and only
> if it uses an HTTP redirect.  If it happens internally, it's
> an equivalence between the two URLs.
>
> An origin server is just fine with such an equivalence, but
>
>> The proxy (when acting as a proxy) must not change the URI.
>
> This is exactly the bug I'm looking to fix.
>
>> The reverse proxy (gateway) is just an origin server with a
>> stupid name -- it must send a redirect if it makes the above
>> change to a URI.
>
> That would then be handled at the uri_decode stage, before
> mod_proxy ever looks at it.
>

But doesn't the patch affect the behavior of ProxyPass (reverse
proxy or gateway) and not Apache when being a "real" proxy server?

Mime
View raw message