httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <>
Subject Re: post-CVE-2011-4317 (rewrite proxy unintended interpolation) rewrite PR's
Date Fri, 08 Jun 2012 12:19:22 GMT
On Fri, Jun 8, 2012 at 4:58 AM, Joe Orton <> wrote:
> On Thu, Jun 07, 2012 at 01:14:37PM -0400, Jeff Trawick wrote:
>> On Thu, Jun 7, 2012 at 11:55 AM, Joe Orton <> wrote:
>> > I like Eric's suggestion of an opt-in RewriteOption.  This will avoid
>> > having to iterate yet again if the whitelist is either too broad or too
>> > narrow, and can make the security implications (such as they are)
>> > explicit.
>> Doesn't that just mean that the security implications are unknown when
>> you want mod_rewrite to process a proxied http request or a CONNECT?
>> I.e., you have to turn off the sanity checks in order to use certain
>> infrequently used features.
> Yes, but that was exactly the previous state: the security implication
> of doing crazy stuff with rewrite rules really is totally unknown.  I
> wouldn't say "infrequently used features", I'd say "undocumented
> behaviour which happened to work previously".

"crazy stuff"/"happened to work" seems a bit convenient for referring
to some useful functionality which was regressed :(  But as far as we
know Right Now it is practical for a user to ensure that all their
rewrite rules are well formed and turn on this option without fear.

I guess there is no desire among the group to take any of the reported
regressions and deem the "feature" supported in the normal manner.

Born in Roswell... married an alien...

View raw message