www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maurice Cinquini <mcinqu...@speedera.com>
Subject Re: mod_rewrite/6950: RewriteMap problem
Date Sat, 09 Dec 2000 01:40:01 GMT
The following reply was made to PR mod_rewrite/6950; it has been noted by GNATS.

From: Maurice Cinquini <mcinquini@speedera.com>
To: Vladislav Shulgin <shulya@sputnikmedia.net>, apbugs@Apache.Org
Cc:  
Subject: Re: mod_rewrite/6950: RewriteMap problem
Date: Fri, 08 Dec 2000 17:38:46 -0800

 Just about all useful use of RewriteMaps (including the examples in
 the documentation) has been lost due the a security fix added to
 1.3.14, described by this comment:
 
 /*
  * for security reasons this expansion must be perfomed in a
  * single pass, otherwise an attacker can arrange for the result
  * of an earlier expansion to include expansion specifiers that
  * are interpreted by a later expansion, producing results that
  * were not intended by the administrator.
  */
 
 If the map key contains a variable, that variable no longer gets expanded!
 
 I'm thinking a simple fix is to recursively call do_expand() on
 the map "key" and  "dflt" (default) strings.
 I think this still secure because only runs do_expand on parts
 of the substitution pattern that have not been expanded yet.
 
 I also note that the code doesn't handle nested map expressions,
 but I don't think it ever did.

Mime
View raw message