httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tomas Hoger <tho...@redhat.com>
Subject Re: [RFC] further proxy/rewrite URL validation security issue (CVE-2011-4317)
Date Thu, 19 Jan 2012 10:45:10 GMT
Jeff Trawick writes:

> > scheme: @localhost, path: :8880
> 
> not a valid scheme; apr_uri_parse should have failed it for that
> reason (needs to start with lower case, continue with lower case or
> digit or +.-)

...

> so: does fixing apr_uri_parse() resolve these?  not generally (but I
> opened bug 52479 to track the bogus scheme issue)

I agree that rejecting @localhost::8880 as invalid in apr_uri_parse()
because of the invalid scheme character does not resolve this issue.
Actually, the leading @ in that URI is misleading, as it's not needed
for the attack.  localhost: or even http: should work equally well
(both result in non-NULL scheme and allow path starting with a
character different from /).

--
Tomas Hoger



Mime
View raw message