httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <>
Subject Re: [RFC] further proxy/rewrite URL validation security issue (CVE-2011-4317)
Date Mon, 28 Nov 2011 14:29:26 GMT
On Wed, Nov 23, 2011 at 04:53:46PM +0100, "Plüm, Rüdiger, VF-Group" wrote:
> One comment though: Shouldn't we check r->unparsed_uri as well (at least
> in the proxy case, as it may be used by ap_proxy_trans_match instead of r->uri)?

Thanks for looking at this!

I'm not sure how we could check r->unparsed_uri here other than by 
parsing it and checking whether it has a path element; which is 
effectively what we do by checking r->uri.

Regards, Joe

View raw message