httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ray Morris <supp...@bettercgi.com>
Subject Re: secure use of ap_get_server_name/port
Date Fri, 07 Mar 2008 04:43:00 GMT
On 03/06/2008 05:26:08 PM, Nebergall, Christopher wrote:
> So while there may be 5 different ways a user may
> type the hostname and port portions of the URI
> for the same content, I would want it to evaluate
> to just 1 definitive answer that I can create policy
> for (or at least as few as possible).

   Sounds like r->server->server_hostname and r->server->port
to me, or use UseCanonicalName On to access it externally
through an environment variable.  Of course there are people
on the list who know Apache a thousand times as well as I do.
I figured I'd try to help with this one, though, to get karma
credit for when I have a question for the real experts. :)
--
Ray B. Morris
support@bettercgi.com

Strongbox - The next generation in site security:
http://www.bettercgi.com/strongbox/





On 03/06/2008 05:26:08 PM, Nebergall, Christopher wrote:
> Sorry let me clarify.   I'm looking at doing external policy
> evaluation of the URI like is done is most SSO products.   I have to
> create a policy for every URL the user may hit (with support for
> wildcards).  I would like to minimize the number of policies created.
> So while there may be 5 different ways a user may type the hostname
> and port portions of the URI for the same content, I would want it to
> evaluate to just 1 definitive answer that I can create policy for (or
> at least as few as possible).   Plus I need to beware of malicious
> users.  If they set an invalid host header, I don't want a case where
> apache ignores the host header and host header port because it doesn't
> know about the server mentioned in the host header, but the policy
> code still uses it to do policy evaluation. That creates a case where
> the code would be granting or denying access based on the wrong
> policy.
> 
> Example
> 
> ServerName foo.com
> ServerAlias bob.smith.bar.com *.jones.com
> 
> Assume these requests:
> 
> GET http://bob.smith.bar.com/cgi-bin/printenv
> GET http://mark.jones.com/cgi-bin/printenv
> 
> I want all of these evaluated to only http://foo.com/cgi-bin/printenv
> 
> Which API's would do this for the server name and host portions?
> 

Mime
View raw message