httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: post-CVE-2011-4317 (rewrite proxy unintended interpolation) rewrite PR's
Date Thu, 07 Jun 2012 15:55:10 GMT
On Wed, Jun 06, 2012 at 09:08:02PM -0400, Jeff Trawick wrote:
> Here are some valid requests which fail the 4317 checks:
> 
> CONNECT foo.example.com[:port]
> GET http://foo.example.com
> GET proxy:http://foo.example.com/    (rewriting something which was
> already proxied internally)
> 
> I am leaning towards the likely minority view that it is problematic
> to not know what the valid inputs to a ~15 year old module really are,
> and we should whitelist a few more patterns such as those above and
> see how far it gets us.  Unfortunately this breaks a few users but
> they are holding the testcases.

Some thoughts:

1) FUD: if we start relaxing those checks again something else is going 
to break in an unexpected way.

2) mod_rewrite's behaviour should match mod_rewrite's documentation.  If 
mod_rewrite guarantees that the input to the first rule set (in vhost 
contex) is a URL-path, it shouldn't arbitrarily ignore that guarantee 
for "special" URIs.

I like Eric's suggestion of an opt-in RewriteOption.  This will avoid 
having to iterate yet again if the whitelist is either too broad or too 
narrow, and can make the security implications (such as they are) 
explicit.

Regards, Joe

Mime
View raw message