www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mohit Aron <a...@cs.rice.edu>
Subject Re: mod_cgi/3581: CGI scripts never get invoked if the URL contains %2f instead of /
Date Sat, 26 Dec 1998 22:40:01 GMT
The following reply was made to PR mod_cgi/3581; it has been noted by GNATS.

From: Mohit Aron <aron@cs.rice.edu>
To: coar@apache.org
Cc: apbugs@apache.org
Subject: Re: mod_cgi/3581: CGI scripts never get invoked if the URL contains %2f instead of
/
Date: Sat, 26 Dec 1998 16:39:17 -0600 (CST)

  > 
  > This is intentional.  The presumption is that such
  > encoded slashes are being used as a form of attack, to
  > access restricted portions of the system that would
  > automatically be denied if the unencoded slash were
  > used.  The current version of the CGI spec (under
  > development at <http://Web.Golux.Com/coar/cgi/>) says
  > that the server can impose whatever restrictions it
  > likes upon PATH_INFO.  It's unclear whether rejecting
  > the request (as Apache currently does) is preferable to
  > invoking the script with PATH_INFO reduced to an empty
  > string.  PATH_TRANSLATED is closely related.
  > 
 
 
 Thanks for your earlier reply. I still don't fully understand the concern
 the Apache developers have. Here are my objections for not permitting a 
 %2f in the URL:
 
 1) Before passing the argument to CGI scripts, all arguments are anyway
    unescaped. So any %2f characters would have become a '/' anyway and the
    CGI would be free to discard the arguments upon seeing the '/'. I think
    your concern applies to the case where the %2f is further escaped - i.e.
    into %25%32%66. Unfortunately, Apache still allows this sequence to pass.
    You can try this by:
        http://server/cgi-bin/printenv/a%25%32%66a/
    Look at the PATH_INFO variable returned - it's "/a%2fa/". 
 
 2) I do believe that whether or not to discard the %2f is a policy issue
    and should be left to the CGIs.
 
 
 If my objections seem sound, can you please release a patch for Apache that
 allows a '%2f'. Thanks,
 
 
 
 - Mohit

Mime
View raw message