Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize
On Thu, Jul 16, 2020 at 3:31 PM Ruediger Pluem wrote: > > > > On 6/24/20 1:27 PM, Eric Covener wrote: > >> > >> ProxyMappingDecoded is not needed anymore (and was removed). > >> The mapping= tells mod_proxy at which stage ([pre_]translate) it > >> should map the request path. > > +1 > > > > Getting back to an old topic. Shouldn't we have a directive similar to > AllowEncodedSlashes that allows us to block URI's that contain > URL fragments like /.; and /..; in order to avoid that someone plays > silly games that bypass Location settings and RewriteRules > that might be used with a servlet engine in the backend? Happy > to have that set to a default that allows /.; and /..;. +, but I'd want the safer default.
Re: hardening mod_write and mod_proxy like mod_jk with servletnormalize
On 6/24/20 1:27 PM, Eric Covener wrote: >> >> ProxyMappingDecoded is not needed anymore (and was removed). >> The mapping= tells mod_proxy at which stage ([pre_]translate) it >> should map the request path. > +1 > Getting back to an old topic. Shouldn't we have a directive similar to AllowEncodedSlashes that allows us to block URI's that contain URL fragments like /.; and /..; in order to avoid that someone plays silly games that bypass Location settings and RewriteRules that might be used with a servlet engine in the backend? Happy to have that set to a default that allows /.; and /..;. Regards RĂ¼diger