Hi Ilya,

On Fri, Jun 26, 2020 at 02:04:41PM +0500, ???? ??????? wrote:
> ??, 26 ???. 2020 ?. ? 11:00, Willy Tarreau <w...@1wt.eu>:
> 
> > Hi Tim,
> >
> > On Thu, Jun 25, 2020 at 04:30:37PM +0200, Tim Düsterhus wrote:
> > (...)
> > > Willy: Please correct me if I misrepresented your arguments or left out
> > > something important.
> >
> > I think it's well summarized. There are other more painful points not
> > mentioned here:
> >
> 
> Tim, can we schedule this for 2.3 ? It seems to be "too much" for 2.2

Rest assured that for me it's not even imaginable to break 2.2 with
such sort of things. We have sufficient issues to address right now!

> as for normalization, I'd like an idea to compare nginx normalization rules.
> (I recall myself that only "merge_slashes off;" was rarely an issue, the
> rest of normalization rules seem to be just fine)

Be careful that nginx is a web server, not a gateway, so it doesn't have
to care about how the next hop would interpret the request since there
isn't such "next hop" so it only has to be consistent with itself. And
by the way, in case you'd still use it as a reverse-proxy using proxy_pass
you have to be aware that it only normalizes during analysis but forwards
the unprocessed request, leading to some of the well-known things I
mentioned:

  
https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/

This article by the way also mentions the funny things with some
application servers which incorrectly use ";" as a query string
delimiter, which is yet another thing breaking normalization!

Willy

Reply via email to