On Fri, Nov 7, 2008 at 3:12 AM, Vlad Seryakov
<[EMAIL PROTECTED]> wrote:
> + # If address set to 0.0.0.0 in nssock to listen on
> + # all interfaces we may try to use Host: header to
> + # return proper urls
> + #
> +
> + if { $loc == "http://0.0.0.0"; } {
> + set host [ns_set iget [ns_conn headers] Host]
> + if { $host != "" } {
> + set loc http://$host
> + }
> + }
You can't take unfiltered input from the host header and then feed it
back to ns_returnredirect as this vulnerable to a response splitting
attack.
http://www.google.co.uk/search?q=response+splitting
It seems like this may be a more general kind of bug. After all, it's
not just in directory listings that 0.0.0.0 is an invalid host
address. Take a look at conn.c:Ns_ConnLocationAppend() -- looks like
this is where the fix needs to go.
This is a tricky are so add some extra tests in tests/ns_conn_host.test
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
naviserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
