> -----Ursprüngliche Nachricht----- > Von: Roy T. Fielding > Gesendet: Donnerstag, 13. September 2007 17:06 > An: [email protected] > Betreff: Re: Broken URI-unescaping in mod_proxy > > > On Sep 13, 2007, at 7:54 AM, Plüm, Rüdiger, VF-Group wrote: > >> Changes to the request URI must be referred back to the > client in the > >> form of a redirect. Any other choice will cause security holes in > >> the request chain, somewhere. > >> > >> The proxy (when acting as a proxy) must not change the URI. > >> > >> The reverse proxy (gateway) is just an origin server with a > >> stupid name -- it must send a redirect if it makes the above > >> change to a URI. > > > > Sorry for being confused, but what change to a URI are you > > talking about? Transforming > > > > GET /a/../b/somewhere > > > > into > > > > a request for /b/somewhere? > > > > This is the usual transformation we do also in the case we deliver > > static content (without sending a redirect to /b/somewhere). > > We are supposed to be sending a redirect (or 403) in that case. > Is that not true?
No. Just create a webserver with a document root and the directories a and b below the document root containing an index.html Request GET /a/../b/index.html HTTP/1.0 You will get the contents of <document root>/b/index.html directly (a.k.a Status code 200) without any redirect. It works like this as long as I can think of. Regards Rüdiger
