httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <>
Subject Re: post-CVE-2011-4317 (rewrite proxy unintended interpolation) rewrite PR's
Date Thu, 07 Jun 2012 17:14:37 GMT
On Thu, Jun 7, 2012 at 11:55 AM, Joe Orton <> wrote:
> On Wed, Jun 06, 2012 at 09:08:02PM -0400, Jeff Trawick wrote:
>> Here are some valid requests which fail the 4317 checks:
>> CONNECT[:port]
>> GET
>> GET proxy:    (rewriting something which was
>> already proxied internally)
>> I am leaning towards the likely minority view that it is problematic
>> to not know what the valid inputs to a ~15 year old module really are,
>> and we should whitelist a few more patterns such as those above and
>> see how far it gets us.  Unfortunately this breaks a few users but
>> they are holding the testcases.
> Some thoughts:
> 1) FUD: if we start relaxing those checks again something else is going
> to break in an unexpected way.

Certainly a valid fear :)

> 2) mod_rewrite's behaviour should match mod_rewrite's documentation.  If
> mod_rewrite guarantees that the input to the first rule set (in vhost
> contex) is a URL-path, it shouldn't arbitrarily ignore that guarantee
> for "special" URIs.
> I like Eric's suggestion of an opt-in RewriteOption.  This will avoid
> having to iterate yet again if the whitelist is either too broad or too
> narrow, and can make the security implications (such as they are)
> explicit.

Doesn't that just mean that the security implications are unknown when
you want mod_rewrite to process a proxied http request or a CONNECT?
I.e., you have to turn off the sanity checks in order to use certain
infrequently used features.

Eric, what was the opt-in exactly?  In what scope would you need to
enable it in order to process a CONNECT request?

> Regards, Joe

Born in Roswell... married an alien...

View raw message