httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <>
Subject Re: Fix for CVE-2011-4317 broke RewriteRule in forward proxy?
Date Sat, 24 Mar 2012 16:27:07 GMT
On 24.03.2012 16:39, Jeff Trawick wrote:
> On Sat, Mar 24, 2012 at 7:31 AM, Rainer Jung<>  wrote:
>> On 24.03.2012 07:02, Kaspar Brand wrote:
>>> On 23.03.2012 18:11, Rainer Jung wrote:
>>>> It should be RewriteRule not RewriteMap in my previous mail. I
>>>> simplified the config to a single RewriteRule but forgot to adjst
>>>> subject and intro of my mail. The problem remains the same.
>>> Doesn't that ring a bell - namely the one of PR 52774?
>> Thanks Kaspar, yes that's the same issue. Sorry for not having remembered or
>> searched that one.
>> I expect the same problem for trunk, but will check it.
>> I need to review the argumentation for the final variant of the
>> CVE-2011-4317 fix but IMHO the current behavior is broken.
> The primary reasoning was that it lets the long-standing fallback
> logic in core fail the request if necessary, letting modules decide
> what they could handle.  Subsequently it was determined that the error
> path in the initial 3368 fix didn't work for HTTP 0.9 in some levels
> of code (2.0 IIRC) and just managed to work in 2.2.

> But yes, this forward proxy situation needs to be supported.  The
> check added to mod_rewrite to skip things it didn't know how to handle
> was not correct.
> After a cursory skim of the code, it seems that RewriteRule could
> conceivably be used on anything that gets in r->uri or r->filename,
> but that generality, hopefully unintentional, was part of the original
> problem.

Would it help to apply the current checks only for [P] flags? Or are 
there other known exposures for the proxy problem? I don't remember any, 
but maybe those were only the easiest once to understand.

Currently we DECLINE in hook_uri2file() before we actually go through 
the rules. We could DECLINE only if we detect a [P] rule.

Another question would then be, if the same check would again be 
necessary when running through the rules the second time in the fixup hook.



View raw message