It works for me here in testing... Are you linked against pcreposix? Even so, yeah if you have the time, patches against http.c redirect_reply() would probably be the best solution.
Joe > -----Original Message----- > From: Kevin Bowling [mailto:[email protected]] > Sent: Tuesday, November 29, 2011 12:42 PM > To: [email protected] > Subject: Re: [Pound Mailing List] Pound CSRF vulnerability in redirects > > Still not working for even the simplest of URLs. > > I agree with the Apache style redirect (escaped URL/"here" text). > I'll write some patches later today when I have time. > > Regards, > Kevin > > On Tue, Nov 29, 2011 at 8:23 AM, Joe Gooch <[email protected]> > wrote: > > This may be more realistic... at least for most urls I've worked > with. It's not all-inclusive of every possible url pattern. > > > > CheckURL "^[A-Za-z0-9\.\/]+(\?[A-Za-z0-9=\.&]*)?(;[A-Za-z0- > 9=\.&]*)?$" > > > > > > Also note from looking at the code, it looks like CheckURL runs > *after* URL encoded expansion. Which means, if your url has a %3c in > it, it'll be expanded to <, and then checked against the regex, and get > rejected. Which might not be a problem for you. > > > > Ultimately I think the solution is Pound needs to write the redirect > page using URL encoding for the href link, and maybe the word "here" > for the link text. (like, for instance, apache would) If it's going to > write out the link text it should be html entity encoded. > > > > I passed the URLs you gave into apache and it had no problem printing > an appropriate redirect page, and/or attempting to find that type of > file on the filesystem.... so... yeah. > > > > Joe -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
