After all the discussions I did some commits today to produce a
consistent URi handling result for the Apache, IIS and Netscape connectors.
Here is the summary:
1) How do the web servers pass URLs to the plugins?
- Apache: decoded, normalized
- Netscape: decoded, normalized
- IIS: original URL
2) How do we manipulate them before checking against forwarding rules?
- Apache: no additional manipulation
- Netscape: no additional manipulation
- IIS: decode and normalize
3) How de we forward, if we find a match?
All web servers: reencode using the mod_proxy code. Some safe characters
will not get reencoded (exactly like in mod_proxy), for example the
semicolon ';'.
Interesting: the list of safe characters comes from Apache httpd trunk
and differs from 2.2.x by not encoding '~'.
4) Safety, Interoperability
Since we reencode problematic characters, especially '%', the attacks we
discussed are not possible. Since we use the internal URL as a basis for
reencoding, interoperability with mod_rewrite etc. is fine. Since
semicola are not reencoded, URL encoded session ids are fine.
5) Hardening
There is an additional option (Apache: RejectUnsafeURI, IIS/Netscape:
reject_unsafe), which will reject URLs which contain a percent sign '%'
or backslash '\' after decoding. Since a percent sign after decoding is
legitimate, the option is off by default. Users who know, that their
apps do not use percent signs, can turn this option on as an early line
of defense (e.g. against buggy servlets etc.).
6) Code cleanuup
I shortened the reencoding implementation because I think, having to
much unused code gives us the wrong impression, that it is actively
maintained code. The original code form mod_proxy contains a lot of
different cases, and we use only one of those.
I also reverted Mladen's patch, but carried over his central idea for
5). I really think (and tested), that it is not necessary in general
(because here Apache and Netscape already do what his new methods were
supposed to add).
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
