On 6/11/20 9:50 AM, Yann Ylavic wrote:
> On Thu, Jun 11, 2020 at 8:52 AM jean-frederic clere <jfcl...@gmail.com> wrote:
>>
>> Should I commit my first proposal (it is easily backportable to 2.4.x)
>> and later work on the next one?
>
> How about something like the attached patch?
Looks good in general, but
1. Why do we need to switch to the new API in other parts of the code?
2. It doesn't tackle the mod_rewrite issue (but I think you mentioned this
somewhere).
3. It doesn't tackle Location / LocationMatch / if issues.
If you did something like
<Location /admin>
do some auth
</Location>
ProxyPass / http://backend/
then
/app/..;foo=bar/admin
would bypass this auth on Apache reverse proxy layer.
This convinces me even more that we need to fix this by a virtual host specific
settings that
strips off all path parameters at least for '.' and '..' segments unless it is
on the last segment and this segment is NOT '..' or
'.'.
Of course this might cause issues if other parts of this virtual host need
these path parameters and
deal with them in the HTTP sense, but guess in practice this case is rather
rare.
The next question is: All the patches here deal with ';' as an indicator for a
path parameter. What about the the other sub-delims
specified in RFC3986?
sub-delims = "!" / "$" / "&" / "'" / "(" / ")"
/ "*" / "+" / "," / ";" / "="
Regards
RĂ¼diger