httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Malte S. Stretz" <...@apache.org>
Subject Re: [PATCH] mod_cgi: Mitigating some header injections by dropping invalid headers?
Date Tue, 12 Oct 2010 17:49:02 GMT
On Tuesday 12 October 2010 18:13:46 William A. Rowe Jr. wrote:
> On 10/12/2010 10:06 AM, Dirk-Willem van Gulik wrote:
> > On 12 Oct 2010, at 15:30, Malte S. Stretz wrote:
> >> I had a quick look at the Apache source and the solution was simple:
> >>  Just drop headers which contain any character outside the range
> >> [a-zA-Z0-9-]. The patch against trunk is attached.
> > 
> > This made me think of something we had a while ago; and after
> > checking the logs - big +1 from me!
> 
> Agreed, with a caviat... we aught to be able to toggle this for the
> rare but significant legacy app that requires it... which implies a
> per-dir flag that can override just one CGI script out of an entire
> server.

I think an option is not needed as there is a workaround.  Eg. to make an 
Accept_Encoding header work:

SetEnvIfNoCase ^Accept.Encoding$ ^(.*)$ fix_header=$1
RequestHeader set Accept-Encoding %{fix_header}e env=fix_header

(I had to use a regexp in SetEnvIf since for some reason comparing to an 
invalid header doesn't work.)

Cheers,
Malte

Mime
View raw message