httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: Broken URI-unescaping in mod_proxy
Date Mon, 08 Oct 2007 09:17:23 GMT


On 10/08/2007 12:50 AM, Nick Kew wrote:
> On Thu, 13 Sep 2007 08:47:13 -0700
> "Roy T. Fielding" <fielding@gbiv.com> wrote:
> 
>>    Proxies are absolutely
>> forbidden from making any change to the URI -- they must forward
>> as is or return an error.
> 
> This is at the root of PR41798, and the others I've marked as
> duplicates of it.
> 
> In fact, it seems to be simpler to fix than I realised.
> Despite standard URL manipulation, the URL is correct at the
> point where it's passed to proxy_http_canon (+clones like
> proxy_balancer_canon).  It is specifically ap_proxy_canonenc
> that corrupt URLs containing escaped characters.
> 
> The bug is fixed if we just remove ap_proxy_canonenc!
> 
> Looking more closely at ap_proxy_canonenc, it is indeed
> just plain wrong at this point:
> 
> /*
>  * Convert a URL-encoded string to canonical form.
>  * It decodes characters which need not be encoded,
>  * and encodes those which must be encoded, and does not touch
>  * those which must not be touched.
>  */
> 
> The first clause (decodes characters which need not be encoded)
> is the culprit here, directly responsible for the bug.
> Re-encoding characters that must be encoded is AFAICT superfluous:
> if the URL contains disallowed bytes at this point due to a
> bug in our earlier processing, we should reject it with 400
> rather than change it.
> 
> Given my history of fluffing up late night patches, I'll leave
> this for now.  But if noone shouts, I'll replace ap_proxy_canonenc
> with a simple validity check in the morning.

Please check that your patch does not fall into the traps I mentioned in

http://mail-archives.apache.org/mod_mbox/httpd-dev/200709.mbox/%3c46E450D9.2020601@apache.org%3e

on this thread. Otherwise we create a security issue (at least for reverse proxies and
for reverse proxies Roy's statement is not valid as it is only valid for *proxies*).

Regards

RĂ¼diger


Mime
View raw message