httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <>
Subject Re: post-CVE-2011-4317 (rewrite proxy unintended interpolation) rewrite PR's
Date Sat, 26 May 2012 13:19:21 GMT
On 24.05.2012 17:12, Eric Covener wrote:
> There are a couple of PR's going around about people who were using
> rewrite to operate on URL's now kicked out of mod_rewrite by default
> (IIRC at least proxy:blah and CONNECT arg)
> Should we just add a mod_rewrite directive or RewriteOption that opts
> in to handling any URL and document the cautions in the directive?  I
> don't mind doing that code and doc work to skip the new check to
> unblock people before 2.2.23.  Please comment!

I thought the original problem with mod_rewrite existed only for rules 
with the proxy flag. So rules without the proxy floag should be always 
OK. Right? All bugzilla issues I am aware of only use such OK rules. If 
we would allow them, we would fix the problem for most users.

For rules with the proxy flag I don't know what the "right" soluation 
would be. I think the original CVE issue was triggered by interpreting 
some URL prefix as a userinfo (the "@" separated part).

Jeff at some point was also looking at it, the patch attached to PR 
52774 and my suggestion of only restricting rewrite rules with proxy 
flag set. But it seems he also didn't come to a result.



View raw message