On Sat, May 26, 2012 at 9:19 AM, Rainer Jung <[email protected]> wrote: > On 24.05.2012 17:12, Eric Covener wrote: >> >> There are a couple of PR's going around about people who were using >> rewrite to operate on URL's now kicked out of mod_rewrite by default >> (IIRC at least proxy:blah and CONNECT arg) >> >> Should we just add a mod_rewrite directive or RewriteOption that opts >> in to handling any URL and document the cautions in the directive? I >> don't mind doing that code and doc work to skip the new check to >> unblock people before 2.2.23. Please comment! > > > I thought the original problem with mod_rewrite existed only for rules with > the proxy flag. So rules without the proxy floag should be always OK. Right? > All bugzilla issues I am aware of only use such OK rules. If we would allow > them, we would fix the problem for most users.
AFAIK the original problem was just for [P]. I don't know if it is reasonable to let everything else through, on the theory that there's no telling what can happen with mod_rewrite :) (But thus far there has been no telling what existing behavior became broken by NOT letting everything else through.) Elsewhere was reported another legacy configuration with [P] which does not work with the checks added with 4317. So just limiting the new check to cases with [P] isn't sufficient. > > For rules with the proxy flag I don't know what the "right" soluation would > be. I think the original CVE issue was triggered by interpreting some URL > prefix as a userinfo (the "@" separated part). > > Jeff at some point was also looking at it, the patch attached to PR 52774 > and my suggestion of only restricting rewrite rules with proxy flag set. But > it seems he also didn't come to a result. What happened was that I signed up for a handful of courses on Udacity and Coursera and am just now catching my breath this week :) Here are some valid requests which fail the 4317 checks: CONNECT foo.example.com[:port] GET http://foo.example.com GET proxy:http://foo.example.com/ (rewriting something which was already proxied internally) I am leaning towards the likely minority view that it is problematic to not know what the valid inputs to a ~15 year old module really are, and we should whitelist a few more patterns such as those above and see how far it gets us. Unfortunately this breaks a few users but they are holding the testcases. -- Born in Roswell... married an alien... http://emptyhammock.com/
