httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: Fix for CVE-2011-4317 broke RewriteRule in forward proxy?
Date Wed, 11 Apr 2012 20:13:11 GMT
On Sat, Mar 24, 2012 at 12:27 PM, Rainer Jung <rainer.jung@kippdata.de> wrote:
> On 24.03.2012 16:39, Jeff Trawick wrote:
>>
>> On Sat, Mar 24, 2012 at 7:31 AM, Rainer Jung<rainer.jung@kippdata.de>
>>  wrote:
>>>
>>> On 24.03.2012 07:02, Kaspar Brand wrote:
>>>>
>>>>
>>>> On 23.03.2012 18:11, Rainer Jung wrote:
>>>>>
>>>>>
>>>>> It should be RewriteRule not RewriteMap in my previous mail. I
>>>>> simplified the config to a single RewriteRule but forgot to adjst
>>>>> subject and intro of my mail. The problem remains the same.
>>>>
>>>>
>>>>
>>>> Doesn't that ring a bell - namely the one of PR 52774?
>>>
>>>
>>>
>>> Thanks Kaspar, yes that's the same issue. Sorry for not having remembered
>>> or
>>> searched that one.
>>>
>>> I expect the same problem for trunk, but will check it.
>>>
>>> I need to review the argumentation for the final variant of the
>>> CVE-2011-4317 fix but IMHO the current behavior is broken.
>>
>>
>> The primary reasoning was that it lets the long-standing fallback
>> logic in core fail the request if necessary, letting modules decide
>> what they could handle.  Subsequently it was determined that the error
>> path in the initial 3368 fix didn't work for HTTP 0.9 in some levels
>> of code (2.0 IIRC) and just managed to work in 2.2.
>
>
>> But yes, this forward proxy situation needs to be supported.  The
>> check added to mod_rewrite to skip things it didn't know how to handle
>> was not correct.
>>
>> After a cursory skim of the code, it seems that RewriteRule could
>> conceivably be used on anything that gets in r->uri or r->filename,
>> but that generality, hopefully unintentional, was part of the original
>> problem.
>
>
> Would it help to apply the current checks only for [P] flags? Or are there
> other known exposures for the proxy problem? I don't remember any, but maybe
> those were only the easiest once to understand.
>
> Currently we DECLINE in hook_uri2file() before we actually go through the
> rules. We could DECLINE only if we detect a [P] rule.
>
> Another question would then be, if the same check would again be necessary
> when running through the rules the second time in the fixup hook.

Adding Petr, who posted a patch to bug 52774...

I've stared at the patch a bit (no mysteries) as well as at Rainer's
suggestions above from a couple of weeks ago (whoops!) but haven't
settled on an opinion yet.

Mime
View raw message