httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: post-CVE-2011-4317 (rewrite proxy unintended interpolation) rewrite PR's
Date Thu, 07 Jun 2012 01:08:02 GMT
On Sat, May 26, 2012 at 9:19 AM, Rainer Jung <rainer.jung@kippdata.de> wrote:
> On 24.05.2012 17:12, Eric Covener wrote:
>>
>> There are a couple of PR's going around about people who were using
>> rewrite to operate on URL's now kicked out of mod_rewrite by default
>> (IIRC at least proxy:blah and CONNECT arg)
>>
>> Should we just add a mod_rewrite directive or RewriteOption that opts
>> in to handling any URL and document the cautions in the directive?  I
>> don't mind doing that code and doc work to skip the new check to
>> unblock people before 2.2.23.  Please comment!
>
>
> I thought the original problem with mod_rewrite existed only for rules with
> the proxy flag. So rules without the proxy floag should be always OK. Right?
> All bugzilla issues I am aware of only use such OK rules. If we would allow
> them, we would fix the problem for most users.

AFAIK the original problem was just for [P].  I don't know if it is
reasonable to let everything else through, on the theory that there's
no telling what can happen with mod_rewrite :)  (But thus far there
has been no telling what existing behavior became broken by NOT
letting everything else through.)

Elsewhere was reported another legacy configuration with [P] which
does not work with the checks added with 4317.  So just limiting the
new check to cases with [P] isn't sufficient.

>
> For rules with the proxy flag I don't know what the "right" soluation would
> be. I think the original CVE issue was triggered by interpreting some URL
> prefix as a userinfo (the "@" separated part).
>
> Jeff at some point was also looking at it, the patch attached to PR 52774
> and my suggestion of only restricting rewrite rules with proxy flag set. But
> it seems he also didn't come to a result.

What happened was that I signed up for a handful of courses on Udacity
and Coursera and am just now catching my breath this week :)

Here are some valid requests which fail the 4317 checks:

CONNECT foo.example.com[:port]
GET http://foo.example.com
GET proxy:http://foo.example.com/    (rewriting something which was
already proxied internally)

I am leaning towards the likely minority view that it is problematic
to not know what the valid inputs to a ~15 year old module really are,
and we should whitelist a few more patterns such as those above and
see how far it gets us.  Unfortunately this breaks a few users but
they are holding the testcases.

-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Mime
View raw message