httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: Fix for CVE-2011-4317 broke RewriteRule in forward proxy?
Date Sat, 24 Mar 2012 16:27:07 GMT
On 24.03.2012 16:39, Jeff Trawick wrote:
> On Sat, Mar 24, 2012 at 7:31 AM, Rainer Jung<rainer.jung@kippdata.de>  wrote:
>> On 24.03.2012 07:02, Kaspar Brand wrote:
>>>
>>> On 23.03.2012 18:11, Rainer Jung wrote:
>>>>
>>>> It should be RewriteRule not RewriteMap in my previous mail. I
>>>> simplified the config to a single RewriteRule but forgot to adjst
>>>> subject and intro of my mail. The problem remains the same.
>>>
>>>
>>> Doesn't that ring a bell - namely the one of PR 52774?
>>
>>
>> Thanks Kaspar, yes that's the same issue. Sorry for not having remembered or
>> searched that one.
>>
>> I expect the same problem for trunk, but will check it.
>>
>> I need to review the argumentation for the final variant of the
>> CVE-2011-4317 fix but IMHO the current behavior is broken.
>
> The primary reasoning was that it lets the long-standing fallback
> logic in core fail the request if necessary, letting modules decide
> what they could handle.  Subsequently it was determined that the error
> path in the initial 3368 fix didn't work for HTTP 0.9 in some levels
> of code (2.0 IIRC) and just managed to work in 2.2.

> But yes, this forward proxy situation needs to be supported.  The
> check added to mod_rewrite to skip things it didn't know how to handle
> was not correct.
>
> After a cursory skim of the code, it seems that RewriteRule could
> conceivably be used on anything that gets in r->uri or r->filename,
> but that generality, hopefully unintentional, was part of the original
> problem.

Would it help to apply the current checks only for [P] flags? Or are 
there other known exposures for the proxy problem? I don't remember any, 
but maybe those were only the easiest once to understand.

Currently we DECLINE in hook_uri2file() before we actually go through 
the rules. We could DECLINE only if we detect a [P] rule.

Another question would then be, if the same check would again be 
necessary when running through the rules the second time in the fixup hook.

Regards,

Rainer

Mime
View raw message