httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: Broken URI-unescaping in mod_proxy
Date Mon, 08 Oct 2007 10:11:08 GMT
On Mon, 08 Oct 2007 11:17:23 +0200
Ruediger Pluem <rpluem@apache.org> wrote:


> Please check that your patch does not fall into the traps I mentioned
> in
> 
> http://mail-archives.apache.org/mod_mbox/httpd-dev/200709.mbox/%3c46E450D9.2020601@apache.org%3e

Yesterday's discovery that suddenly makes this look easy, is that
we're talking about a canonicalisation happening in fixups, long
after the security-sensitive parsing of incoming URLs.

I'm currently concentrating on the forward proxy.  The reverse
proxy is different, and the code path in question is already
slightly different for it.  Testcasing that is the main 
remaining TBD.

BTW, I should've added: a good forward proxy testcase is the URL
posted by the reporter in PR#42592.

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

Mime
View raw message