httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <>
Subject Re: Broken URI-unescaping in mod_proxy
Date Mon, 08 Oct 2007 09:17:23 GMT

On 10/08/2007 12:50 AM, Nick Kew wrote:
> On Thu, 13 Sep 2007 08:47:13 -0700
> "Roy T. Fielding" <> wrote:
>>    Proxies are absolutely
>> forbidden from making any change to the URI -- they must forward
>> as is or return an error.
> This is at the root of PR41798, and the others I've marked as
> duplicates of it.
> In fact, it seems to be simpler to fix than I realised.
> Despite standard URL manipulation, the URL is correct at the
> point where it's passed to proxy_http_canon (+clones like
> proxy_balancer_canon).  It is specifically ap_proxy_canonenc
> that corrupt URLs containing escaped characters.
> The bug is fixed if we just remove ap_proxy_canonenc!
> Looking more closely at ap_proxy_canonenc, it is indeed
> just plain wrong at this point:
> /*
>  * Convert a URL-encoded string to canonical form.
>  * It decodes characters which need not be encoded,
>  * and encodes those which must be encoded, and does not touch
>  * those which must not be touched.
>  */
> The first clause (decodes characters which need not be encoded)
> is the culprit here, directly responsible for the bug.
> Re-encoding characters that must be encoded is AFAICT superfluous:
> if the URL contains disallowed bytes at this point due to a
> bug in our earlier processing, we should reject it with 400
> rather than change it.
> Given my history of fluffing up late night patches, I'll leave
> this for now.  But if noone shouts, I'll replace ap_proxy_canonenc
> with a simple validity check in the morning.

Please check that your patch does not fall into the traps I mentioned in

on this thread. Otherwise we create a security issue (at least for reverse proxies and
for reverse proxies Roy's statement is not valid as it is only valid for *proxies*).



View raw message