Matt Sergeant <[EMAIL PROTECTED]> writes:
> On Thursday, Jan 30, 2003, at 15:24 Europe/London, Thomas Eibner wrote:
[...]
> > Are they being responsive or?
>
> No, I don't even think it got past non-subscriber moderation. However
> my original patch was naive, and didn't account for continuati
On Thursday, Jan 30, 2003, at 15:24 Europe/London, Thomas Eibner wrote:
What I was thinking was just that since you can add a header with
$r->headers_out->add it would be possible to add something there to
remove newlines, but since it's probably just an Apache::Table
operation
it wouldn't "know
On Thu, Jan 30, 2003 at 02:36:53PM +, Matt Sergeant wrote:
> > And I don't really think it's designed to output a header. Tables where
> > used because it made it easy to implement (I assume), and it's only in
> > mod_perl and not the C api that there are specific functions for adding
> > to r
On Tue, 28 Jan 2003, Thomas Eibner wrote:
> Yes, that sounds very weak. To me it sounds like Matt doesn't know what
> he is doing if he's passing RAW input from a client directly into
> something. I know it sounds harsh and I'm not trying to degrade Matt as
> I have great respect for the work he i
On Tue, Jan 28, 2003 at 02:50:54PM +, Matt Sergeant wrote:
> For geoff...
>
> On Tue, 28 Jan 2003, Matt Sergeant wrote:
>
> > Index: src/main/http_protocol.c
> > ===
> > RCS file: /home/cvs/apache-1.3/src/main/http_protocol.c,v
On Tue, Jan 28, 2003 at 11:30:18AM +, Matt Sergeant wrote:
> Here's the patch in case anyone is interested in applying it to their own
> apache. I think there's probably a bug in that \n might not always be the
> right thing to look for (CRLF issues), so please send me corrections ;-)
>
> I ha
On Tue, Jan 28, 2003 at 01:08:28PM +0200, Issac Goldstand wrote:
> - Original Message -
> From: "Thomas Eibner" <[EMAIL PROTECTED]>
> Subject: Re: Mitigating XSS in the mod_perl API
>
>
> > On Mon, Jan 27, 2003 at 02:45:13PM +, Matt Sergeant wro
Matt Sergeant wrote:
Here's the patch in case anyone is interested in applying it to their own
apache. I think there's probably a bug in that \n might not always be the
right thing to look for (CRLF issues), so please send me corrections ;-)
I'm not a C guy, but there are some constants in htt
Here's the patch in case anyone is interested in applying it to their own
apache. I think there's probably a bug in that \n might not always be the
right thing to look for (CRLF issues), so please send me corrections ;-)
I haven't actually run this, so it might not work. But to quote Lord
Flashhea
- Original Message -
From: "Thomas Eibner" <[EMAIL PROTECTED]>
Subject: Re: Mitigating XSS in the mod_perl API
> On Mon, Jan 27, 2003 at 02:45:13PM +, Matt Sergeant wrote:
> > On Mon, 27 Jan 2003, Thomas Eibner wrote:
> >
> > > So, because a
On Mon, Jan 27, 2003 at 08:57:38AM -0600, Thomas Eibner wrote:
> On Mon, Jan 27, 2003 at 02:45:13PM +, Matt Sergeant wrote:
> > The programmer wants to output a header. If he accidentally tries to
> > output something thats not a header he actually ends up outputting body.
> > Thats a bug.
> I
On Mon, Jan 27, 2003 at 03:07:01PM +, Matt Sergeant wrote:
> Anyway the main reason for doing this is there's no other way. Since
> headers_out is just a plain table object, and there are no "setter" hooks
> for tables, so I couldn't do it in mod_perl space. And I couldn't do it in
> AxKit spa
On Mon, 27 Jan 2003, Thomas Eibner wrote:
>
> On Mon, Jan 27, 2003 at 02:45:13PM +, Matt Sergeant wrote:
> > On Mon, 27 Jan 2003, Thomas Eibner wrote:
> >
> > > So, because a programmer doesn't check the validity of the input he gets
> > > it's a bug that should be fixed in Apache? Maybe someo
On Mon, Jan 27, 2003 at 02:45:13PM +, Matt Sergeant wrote:
> On Mon, 27 Jan 2003, Thomas Eibner wrote:
>
> > So, because a programmer doesn't check the validity of the input he gets
> > it's a bug that should be fixed in Apache? Maybe someone should make
> > sure that the same thing can't hap
On Mon, 27 Jan 2003, Thomas Eibner wrote:
> So, because a programmer doesn't check the validity of the input he gets
> it's a bug that should be fixed in Apache? Maybe someone should make
> sure that the same thing can't happen with allowing CGI input going
> straight into a form.. oh wait.
> I do
I suppose the opposition is that well, mod_perl is just an API, and we
shouldn't be forcing programming styles onto the programmer, but there
isn't a single legitimate use of \n in an outgoing header, so I don't
think that argument has much weight.
Thoughts?
If that causes a bug, may be this
On Mon, Jan 27, 2003 at 09:28:38AM +1100, Stas Bekman wrote:
> Matt Sergeant wrote:
> >At the moment it's possible to do nasty XSS things in mod_perl when you
> >set a cookie. That's because $r->headers_out->add() (or set()) doesn't
> >care if you include carriage returns in your header. Simple
Matt Sergeant wrote:
On Sunday, Jan 26, 2003, at 22:28 Europe/London, Stas Bekman wrote:
If that causes a bug, may be this should be fixed in Apache?
That sounds plausible. Perhaps you could bring this up on new-httpd@ for
me since I'm not subscribed ;-)
You know that bringing up things on
On Sunday, Jan 26, 2003, at 22:28 Europe/London, Stas Bekman wrote:
If that causes a bug, may be this should be fixed in Apache?
That sounds plausible. Perhaps you could bring this up on new-httpd@
for me since I'm not subscribed ;-)
I guess the argument you could use is that if you write out
Matt Sergeant wrote:
At the moment it's possible to do nasty XSS things in mod_perl when you
set a cookie. That's because $r->headers_out->add() (or set()) doesn't
care if you include carriage returns in your header. Simple example
would be:
$r->headers_out->add('Set-Cookie' => 'mycookie=' . $
At the moment it's possible to do nasty XSS things in mod_perl when you
set a cookie. That's because $r->headers_out->add() (or set()) doesn't
care if you include carriage returns in your header. Simple example
would be:
$r->headers_out->add('Set-Cookie' => 'mycookie=' .
$r->param('myparam'));
21 matches
Mail list logo
