> -----Ursprüngliche Nachricht----- > Von: Roy T. Fielding > Gesendet: Donnerstag, 13. September 2007 16:45 > An: [email protected] > Betreff: Re: Broken URI-unescaping in mod_proxy > > > On Sep 9, 2007, at 1:00 PM, Ruediger Pluem wrote: > > On 09/09/2007 04:30 PM, Nick Kew wrote:
> >> > >> How so? > > > > ProxyPass /a http://backend/ > > ProxyPass /b http://backend/ > > > > > > <Proxy http://backend/a> > > allow from someip > > deny from all > > </Proxy> > > > > <Proxy http://backend/b> > > allow from someotherip > > deny from all > > </Proxy> > > > > Request: > > > > GET /a/%2E%2E/b/somewhere > > GET /a/../b/somewhere > > > > This allows someip to access http://backend/b/somewhere with the > > patch. > > It does not without because r->uri would be /b/somewhere. > > Changes to the request URI must be referred back to the client in the > form of a redirect. Any other choice will cause security holes in > the request chain, somewhere. > > The proxy (when acting as a proxy) must not change the URI. > > The reverse proxy (gateway) is just an origin server with a > stupid name -- it must send a redirect if it makes the above > change to a URI. Sorry for being confused, but what change to a URI are you talking about? Transforming GET /a/../b/somewhere into a request for /b/somewhere? This is the usual transformation we do also in the case we deliver static content (without sending a redirect to /b/somewhere). Regards Rüdiger
