httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: post-CVE-2011-4317 (rewrite proxy unintended interpolation) rewrite PR's
Date Fri, 08 Jun 2012 12:19:22 GMT
On Fri, Jun 8, 2012 at 4:58 AM, Joe Orton <jorton@redhat.com> wrote:
> On Thu, Jun 07, 2012 at 01:14:37PM -0400, Jeff Trawick wrote:
>> On Thu, Jun 7, 2012 at 11:55 AM, Joe Orton <jorton@redhat.com> wrote:
>> > I like Eric's suggestion of an opt-in RewriteOption.  This will avoid
>> > having to iterate yet again if the whitelist is either too broad or too
>> > narrow, and can make the security implications (such as they are)
>> > explicit.
>>
>> Doesn't that just mean that the security implications are unknown when
>> you want mod_rewrite to process a proxied http request or a CONNECT?
>> I.e., you have to turn off the sanity checks in order to use certain
>> infrequently used features.
>
> Yes, but that was exactly the previous state: the security implication
> of doing crazy stuff with rewrite rules really is totally unknown.  I
> wouldn't say "infrequently used features", I'd say "undocumented
> behaviour which happened to work previously".

"crazy stuff"/"happened to work" seems a bit convenient for referring
to some useful functionality which was regressed :(  But as far as we
know Right Now it is practical for a user to ensure that all their
rewrite rules are well formed and turn on this option without fear.
Right?

I guess there is no desire among the group to take any of the reported
regressions and deem the "feature" supported in the normal manner.

-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Mime
View raw message