httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject [PATCH] CVE-2011-3368, CVE-2011-4317, trunk
Date Wed, 18 Jan 2012 16:16:18 GMT
Following the thread
http://mail-archives.apache.org/mod_mbox/httpd-dev/201112.mbox/%3CCAKUrXK4uwT%3DP1KtEziNqFdxXs%2BtyWvggzpL8x2u-Bbq8tZ-Zsw%40mail.gmail.com%3E
and the related discussion in 2.2.x/STATUS, attached is a patch for
trunk that implements the checking according to the following
criteria:

* modules can handle whatever valid URIs they want in the translate_name phase
* our modules (rewrite, proxy, alias, whatever) decline URIs they can't handle
* core's translate_name enforces HTTP constraints on the URI,
returning 400 otherwise

(This patch is based on a 2.2.x patch from jorton with a tweak
suggested by wrowe, with the necessary reverts to fit it on trunk.)

The obvious alternative is to reverse the long-standing design and

* remove the check in core's translate name that currently returns
400, and implement it before calling translate name
* remove the check in alias, rewrite, proxy, whatever that currently declines

(That long-standing design was missing checks in rewrite and proxy,
and changing the design would resolve the same issue in third-party
modules while yanking the right of some module to implement other URI
forms.)

Mime
View raw message