www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthew Wickline <matthew_at_wickline_dot_...@break.spambots.ok>
Subject general/4609: bad client GET request results in incorrect SERVER_PROTOCOL env var
Date Fri, 18 Jun 1999 16:55:37 GMT

>Number:         4609
>Category:       general
>Synopsis:       bad client GET request results in incorrect SERVER_PROTOCOL env var
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Fri Jun 18 11:10:00 PDT 1999
>Originator:     matthew_at_wickline_dot_org@break.spambots.ok
>Release:        Apache/1.3.6 (Unix)
uname -a
Linux rhino.he.net 2.2.2-ac3 #2 SMP Thu Feb 25 12:56:55 PST 1999 i686

Apache/1.3.6 (Unix) PHP/3.0.7 mod_ssl/2.2.8 OpenSSL/0.9.2b
(in perl)
$ENV{'SERVER_PROTOCOL'} value will, in a bizzare case, be incorrect.

It will contain a URL followed by the normal SERVER_PROTOCOL value.

This breaks CGI.pm which splits on the '/' in $ENV{'SERVER_PROTOCOL'}
to determine the protocol used. This results in CGI.pm doing things
like giving http:://server.com/path as the return value to url()
(note the extra colon above).
Very obscure to reproduce.

Here's one way:
On a macintosh, create a text file with two lines:

Copy the first URL, the newline, and the second URL
(I didn't copy the 2nd \n... don't know if it matters)

open the Internet control panel (This is MacOS 8.6)
paste that value as your homepage.
MacOS has a bug that lets you paste two lines in there
I'll contact them too :)

Now launch Netscape Navigator (I'm using 4.6)

Netscape won't let you paste two lines into it's location
field, but it *will* import it from the Internet control
panel. (But will crash next time you open NN, since it
will now have an unexpected \n in it's prefs file... I'll
contact them about the bug allowing it to import this bad
value in the first place.)

Now hit the home button in NN.

The request it generates, when sent to Apache/1.3.6 (Unix)
(and maybe any Apache)
will cause Apache to put an incorrect value in the SERVER_PROTOCOL
environment variable when calling the cgi script.

Instead of something like
It puts something like
    http://server.com/path/to/a.cgi?foo=bar HTTP/1.1
in there. This is a bug.

One side effect of this bug is that CGI.pm then derives
the current protocol to be lowercase of whatever is before
the first '/'
... or in this case 'http:' (note the extra colon)
that is then used in place of 'http' which is what you
would normally see.
If someone wants to set up a dummy HTTPd to catch the bad request,
feel free to send me the URL I can send this particular type of
bad request your way.

You can then program Apache more defensively to not put the
bad value in the protocol environment variable in this situation.

My email (broken up to avoid spam) is
matthew at wickline dot org

This is obviously obscure enough to be a very low priority :)
[In order for any reply to be added to the PR database, you need]
[to include <apbugs@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or      ]
["Re: general/1098:").  If the subject doesn't match this       ]
[pattern, your message will be misfiled and ignored.  The       ]
["apbugs" address is not added to the Cc line of messages from  ]
[the database automatically because of the potential for mail   ]
[loops.  If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request from a  ]
[developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]

View raw message