Or I could do it! http://goochfriend.org/pound_2.6f_xss_redirect_fix.patch
Joe > -----Original Message----- > From: Joe Gooch [mailto:[email protected]] > Sent: Tuesday, November 29, 2011 1:03 PM > To: '[email protected]' > Subject: RE: [Pound Mailing List] Pound CSRF vulnerability in redirects > > It works for me here in testing... Are you linked against pcreposix? > > Even so, yeah if you have the time, patches against http.c > redirect_reply() would probably be the best solution. > > Joe > > > -----Original Message----- > > From: Kevin Bowling [mailto:[email protected]] > > Sent: Tuesday, November 29, 2011 12:42 PM > > To: [email protected] > > Subject: Re: [Pound Mailing List] Pound CSRF vulnerability in > redirects > > > > Still not working for even the simplest of URLs. > > > > I agree with the Apache style redirect (escaped URL/"here" text). > > I'll write some patches later today when I have time. > > > > Regards, > > Kevin > > > > On Tue, Nov 29, 2011 at 8:23 AM, Joe Gooch <[email protected]> > > wrote: > > > This may be more realistic... at least for most urls I've worked > > with. It's not all-inclusive of every possible url pattern. > > > > > > CheckURL "^[A-Za-z0-9\.\/]+(\?[A-Za-z0-9=\.&]*)?(;[A-Za-z0- > > 9=\.&]*)?$" > > > > > > > > > Also note from looking at the code, it looks like CheckURL runs > > *after* URL encoded expansion. Which means, if your url has a %3c in > > it, it'll be expanded to <, and then checked against the regex, and > get > > rejected. Which might not be a problem for you. > > > > > > Ultimately I think the solution is Pound needs to write the > redirect > > page using URL encoding for the href link, and maybe the word "here" > > for the link text. (like, for instance, apache would) If it's going > to > > write out the link text it should be html entity encoded. > > > > > > I passed the URLs you gave into apache and it had no problem > printing > > an appropriate redirect page, and/or attempting to find that type of > > file on the filesystem.... so... yeah. > > > > > > Joe > > -- > To unsubscribe send an email with subject unsubscribe to > [email protected]. > Please contact [email protected] for questions. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
