httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: post-CVE-2011-4317 (rewrite proxy unintended interpolation) rewrite PR's
Date Fri, 08 Jun 2012 08:58:41 GMT
On Thu, Jun 07, 2012 at 01:14:37PM -0400, Jeff Trawick wrote:
> On Thu, Jun 7, 2012 at 11:55 AM, Joe Orton <jorton@redhat.com> wrote:
> > I like Eric's suggestion of an opt-in RewriteOption.  This will avoid
> > having to iterate yet again if the whitelist is either too broad or too
> > narrow, and can make the security implications (such as they are)
> > explicit.
> 
> Doesn't that just mean that the security implications are unknown when
> you want mod_rewrite to process a proxied http request or a CONNECT?
> I.e., you have to turn off the sanity checks in order to use certain
> infrequently used features.

Yes, but that was exactly the previous state: the security implication 
of doing crazy stuff with rewrite rules really is totally unknown.  I 
wouldn't say "infrequently used features", I'd say "undocumented 
behaviour which happened to work previously".

Regards, Joe

Mime
View raw message