On Sat, Mar 24, 2012 at 12:27 PM, Rainer Jung <rainer.j...@kippdata.de> wrote: > On 24.03.2012 16:39, Jeff Trawick wrote: >> >> On Sat, Mar 24, 2012 at 7:31 AM, Rainer Jung<rainer.j...@kippdata.de> >> wrote: >>> >>> On 24.03.2012 07:02, Kaspar Brand wrote: >>>> >>>> >>>> On 23.03.2012 18:11, Rainer Jung wrote: >>>>> >>>>> >>>>> It should be RewriteRule not RewriteMap in my previous mail. I >>>>> simplified the config to a single RewriteRule but forgot to adjst >>>>> subject and intro of my mail. The problem remains the same. >>>> >>>> >>>> >>>> Doesn't that ring a bell - namely the one of PR 52774? >>> >>> >>> >>> Thanks Kaspar, yes that's the same issue. Sorry for not having remembered >>> or >>> searched that one. >>> >>> I expect the same problem for trunk, but will check it. >>> >>> I need to review the argumentation for the final variant of the >>> CVE-2011-4317 fix but IMHO the current behavior is broken. >> >> >> The primary reasoning was that it lets the long-standing fallback >> logic in core fail the request if necessary, letting modules decide >> what they could handle. Subsequently it was determined that the error >> path in the initial 3368 fix didn't work for HTTP 0.9 in some levels >> of code (2.0 IIRC) and just managed to work in 2.2. > > >> But yes, this forward proxy situation needs to be supported. The >> check added to mod_rewrite to skip things it didn't know how to handle >> was not correct. >> >> After a cursory skim of the code, it seems that RewriteRule could >> conceivably be used on anything that gets in r->uri or r->filename, >> but that generality, hopefully unintentional, was part of the original >> problem. > > > Would it help to apply the current checks only for [P] flags? Or are there > other known exposures for the proxy problem? I don't remember any, but maybe > those were only the easiest once to understand. > > Currently we DECLINE in hook_uri2file() before we actually go through the > rules. We could DECLINE only if we detect a [P] rule. > > Another question would then be, if the same check would again be necessary > when running through the rules the second time in the fixup hook.
Adding Petr, who posted a patch to bug 52774... I've stared at the patch a bit (no mysteries) as well as at Rainer's suggestions above from a couple of weeks ago (whoops!) but haven't settled on an opinion yet.