On 24.03.2012 16:39, Jeff Trawick wrote:
On Sat, Mar 24, 2012 at 7:31 AM, Rainer Jung<rainer.j...@kippdata.de> wrote:
On 24.03.2012 07:02, Kaspar Brand wrote:
On 23.03.2012 18:11, Rainer Jung wrote:
It should be RewriteRule not RewriteMap in my previous mail. I
simplified the config to a single RewriteRule but forgot to adjst
subject and intro of my mail. The problem remains the same.
Doesn't that ring a bell - namely the one of PR 52774?
Thanks Kaspar, yes that's the same issue. Sorry for not having remembered or
searched that one.
I expect the same problem for trunk, but will check it.
I need to review the argumentation for the final variant of the
CVE-2011-4317 fix but IMHO the current behavior is broken.
The primary reasoning was that it lets the long-standing fallback
logic in core fail the request if necessary, letting modules decide
what they could handle. Subsequently it was determined that the error
path in the initial 3368 fix didn't work for HTTP 0.9 in some levels
of code (2.0 IIRC) and just managed to work in 2.2.
But yes, this forward proxy situation needs to be supported. The
check added to mod_rewrite to skip things it didn't know how to handle
was not correct.
After a cursory skim of the code, it seems that RewriteRule could
conceivably be used on anything that gets in r->uri or r->filename,
but that generality, hopefully unintentional, was part of the original
problem.
Would it help to apply the current checks only for [P] flags? Or are
there other known exposures for the proxy problem? I don't remember any,
but maybe those were only the easiest once to understand.
Currently we DECLINE in hook_uri2file() before we actually go through
the rules. We could DECLINE only if we detect a [P] rule.
Another question would then be, if the same check would again be
necessary when running through the rules the second time in the fixup hook.
Regards,
Rainer
