https://issues.apache.org/bugzilla/show_bug.cgi?id=52774
Eric Covener <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |FixedInTrunk --- Comment #16 from Eric Covener <[email protected]> --- (In reply to comment #15) > (In reply to comment #14) > > I have added a new RewriteOption, "AllowAnyURI", in r1356115 which IMO > > resolves this issue. Other opinions are available! :) > > Doesn't mean "AllowAnyURI" option actually "allow > CVE-2011-3368/CVE-2011-4317"? If you write a rule that captures/substitutes unsafely, and opts into non-path arguments, yes. > > And is following statement correct? > > "Declining, request-URI 'http://blahblah' is not a URL-path" > > I believe http://blahblah is valid URL path. The path is 1 component of a URL, we use the term "URL-path" for that component. > And what is problem with the patch I proposed? Is it vulnerable for > CVE-2011-3368/CVE-2011-4317? I hope not. > > I think I just don't understand it.. :-) IMO it is too narrow and does not force the user to opt in to the input sometimes not being a URL path (as it had been documented) -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
