www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mohit Aron <a...@cs.rice.edu>
Subject Re: mod_cgi/3581: CGI scripts never get invoked if the URL contains %2f instead of /
Date Thu, 24 Dec 1998 17:50:01 GMT
The following reply was made to PR mod_cgi/3581; it has been noted by GNATS.

From: Mohit Aron <aron@cs.rice.edu>
To: coar@apache.org
Cc: apbugs@apache.org
Subject: Re: mod_cgi/3581: CGI scripts never get invoked if the URL contains %2f instead of
/
Date: Thu, 24 Dec 1998 11:46:58 -0600 (CST)

 > 
 > This is intentional.  The presumption is that such
 > encoded slashes are being used as a form of attack, to
 > access restricted portions of the system that would
 > automatically be denied if the unencoded slash were
 > used.  The current version of the CGI spec (under
 > development at <http://Web.Golux.Com/coar/cgi/>) says
 > that the server can impose whatever restrictions it
 > likes upon PATH_INFO.  It's unclear whether rejecting
 > the request (as Apache currently does) is preferable to
 > invoking the script with PATH_INFO reduced to an empty
 > string.  PATH_TRANSLATED is closely related.
 > 
 
 
 This doesn't make sense. Whey not unencode the slashes and then check whether
 access is to be allowed - rather than simply rejecting the URL if it contains
 encoded slashes ? I'm trying to configure the Technical Reports server for
 the Department of Computer Science at Rice University. This server interacts
 with the world through a CGI interface and some of the commands that it gets
 have encoded slashes. The sofware is called 'Dienst' and most major
 Universities run it - its available from 
 http://www.ncstrl.org/Dienst/htdocs/Info/about-ncstrl.html.
 
 Is it at least possible to let the rejection of encoded URLs be determined on a
 per-site basis - i.e. through an option in the configuration file of Apache ?
 
 
 - Mohit

Mime
View raw message