Dossy, I agree that the problem is not with AOLserver, wrt reading the log file, but AOLserver should probably not accept url bytes outside of the accepted range.
Headers are slightly more difficult to handle. I have a test http client (htclient) which only accepts context appropriate bytes. For headers the range of acceptable bytes is larger, but you first have to identify the context. From what I can figure out right now, URLs can't contain unescaped control characters, so valid urls written to a log file will never cause problems with shell programs. On Mon, Sep 13, 2010 at 2:16 PM, Dossy Shiobara <do...@panoptic.com> wrote: > Actually, someone made the point -- what if you log request *headers* > and someone puts a malicious byte sequence in that header? What's the > rule around escaping the header values? What about every other code > path where a remote user can write unfiltered bytes to a file on the > server (logfile, etc.). > > Essentially, the vulnerability here isn't in applications that write > these bytes to files, but specific terminal applications that are weak > and should be fixed. Otherwise, "cat" is potentially "vulnerable" and > that's a ridiculous position to hold. This is absolutely correct. External applications should protect themselves against malicious input. Many do. Occasionally I make a mistake and read a binary file. The result is lots of beeps and strange graphical characters appearing on the terminal. The only solution is to exit the terminal. Headers are much more dangerous than the request-line, but the problem is with the reader, not the http application. The request line cannot contain malicious characters, I'll have to review the headers definition (either don't log headers or read them with a safe reader). tom jackson > On 9/13/10 4:46 PM, Tom Jackson wrote: >> Anyway, it is critical to examine and normalize the request uri asap >> and act quickly when presented with invalid chars. > > -- > Dossy Shiobara | do...@panoptic.com | http://dossy.org/ > Panoptic Computer Network | http://panoptic.com/ > "He realized the fastest way to change is to laugh at your own > folly -- then you can let go and quickly move on." (p. 70) > > > -- > AOLserver - http://www.aolserver.com/ > > To Remove yourself from this list, simply send an email to > <lists...@listserv.aol.com> with the > body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: > field of your email blank. > -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <lists...@listserv.aol.com> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
