perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael A. Capone" <mcap...@cablewholesale.com>
Subject Re: Re: Unsuccessful stat on filename containing newline in RegistryCooker.pm
Date Wed, 27 Feb 2013 23:58:09 GMT
(Sorry so slow in responding, been out of the office)

Randolf Richardson wrote:
>> Hi Folks,
>>
>> I'm reasonably certain that this is just a misconfigured mod_perl server 
>> on my part, but I can't seem to find a solution for it.
>>
>> We are currently running ModPerl::Registry to serve legacy CGI code.  
>> Now, consider the following URL, with an embedded newline:
>>
>> http://www.mysite.com/cgi-bin/search.cgi%0d%0a
>>
>> Since we obviously don't have a CGI file named with a trailing newline 
>> character, I would expect apache to return a 404 Not Found.  However, 
>> apache happily hands the URL off to mod_perl, which attempts to stat 
>> search.cgi(newline), and fails with:
>>     
>
> 	ModPerl is correct if the filename supplied doesn't exist (which you 
> seem to be implying that it doesn't), and what's really nice is that 
> it's informing you of the likely problem with the filename.
>
> 	The URL that people should be using should just end with 
> "search.cgi" and if they're typing this in and adding "%0d%0a" to the 
> end of it then they deserve to receive a 404 Not Found error.
I agree completely!  Unfortunately, that's not what's happening.  We're 
not getting a 404, we're getting a 500 Internal Server Error.  I guess 
that is because perl is throwing an untrapped exception when it sees the 
filename-with-newline.  But yes, my issue is that such a request 
generates a 500. I feel that mod_perl should be returning 404 in this 
case, since the file is indeed not found.

Generally, these kinds of requests are attempts at HTTP header-injection 
or similar attacks.  So I'm under no obligation to be helpful to them :)

Thoughts?

Thanks,
MAC

> 	<snip>
>
>
> 	I hope this helps.
>
> [End of reply.]
>
>   
>> [Wed Feb 13 16:27:33 2013] [error] [client 192.168.254.21] Unsuccessful 
>> stat on filename containing newline at 
>> /usr/local/lib64/perl5/ModPerl/RegistryCooker.pm line 787.\n
>>
>> ... which in turn results in a 500 Server Error.
>>
>> Trying a similar URL with a php file on the same server correctly 
>> returns a 404.  Also, requesting a file like 
>> /cgi-bin/this_file_does_not_exist.cgi correctly returns a 404.  However, 
>> /cgi-bin/this_file_does_not_exist.cgi%0d%0a returns 500.
>>
>> What can / should I do to get the "correct" behaviour out of mod_perl?  
>> I could probably do something with a mod_rewrite RewriteRule to strip 
>> newlines, but I feel like I shouldn't have to run every request through 
>> a RewriteRule.  I could also accept if mod_perl treated this as a 
>> warning, but that's not the case here.
>>
>> Here is line 787 of RegistryCooker.pm, btw:
>>
>> 783: # XXX: should go away when finfo() is ported to 2.0 (don't want to
>> 784: # depend on compat.pm)
>> 785: sub Apache2::RequestRec::my_finfo {
>> 786:     my $r = shift;
>> 787:     stat $r->filename;
>> 788:     \*_;
>> 789: }
>>
>> Thoughts?
>>
>> Thanks!
>> Michael
>>     
>
>
>   

Mime
View raw message