httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Isaac Dawson" <isaac.daw...@gmail.com>
Subject [users@httpd] Interesting mod_proxy issue with Double decoding.
Date Tue, 13 Feb 2007 09:14:11 GMT
Hello,
I have a configuration utilizing apache 2.2.0 with mod_proxy. What I want to
do is protect the server and limit the user to access a single directory,
lets say /java_tut/ from a machine running resin.

So we have the following configuration:
<Proxy *>
   Order deny, allow
   Allow from all
</Proxy>

ProxyPass /java_tut/ http://someotherhost:8080/java_tut/

Everything works, the user can't access other directories outside of
java_tut.
Unless of course they do /java_tut/%252e%252e/examples/basic/viewsource.jsp.
Using a double encoding of .. they are able to gain traverse back a
directory. This is not what I want.


So I came up with the following rules:
ProxyPass /java_tut/%2e%2e !
ProxyPass /java_tut/%2e. !
ProxyPass /java_tut/.%2e !

Which works they can't get out of the directory any more. For those encoding
scheme' obviously any rule that requires 3 or more types of deny's is
probably flawed because i'm 99% sure there's other encoding tricks to get
past these. Has anyone seen or come across such issues and has a better
recommendation?
Thanks a lot,
-Isaac

Mime
View raw message