Re: [PATCH] mod_cgi: Mitigating some header injections by dropping invalid headers?

2010-12-28 Thread Stefan Fritsch
On Wednesday 08 December 2010, Malte S. Stretz wrote: Hmm, no reply yet, are there any objections/comments/questions about the patches? If not, anybody with enough karma to commit? Just asking :) I have commited the variant without separate config directive as r1053357, r1053363, r1053365.

Re: [PATCH] mod_cgi: Mitigating some header injections by dropping invalid headers?

2010-12-28 Thread Malte S. Stretz
On Tuesday 28 December 2010 15:56:15 Stefan Fritsch wrote: On Wednesday 08 December 2010, Malte S. Stretz wrote: Hmm, no reply yet, are there any objections/comments/questions about the patches? If not, anybody with enough karma to commit? Just asking :) I have commited the variant

Re: [PATCH] mod_cgi: Mitigating some header injections by dropping invalid headers?

2010-12-08 Thread Malte S. Stretz
On Monday 22 November 2010 23:25:06 I wrote: On Monday 18 October 2010 12:28:12 Malte S. Stretz wrote: On Tuesday 12 October 2010 19:49:02 Malte S. Stretz wrote: On Tuesday 12 October 2010 18:13:46 William A. Rowe Jr. wrote: On 10/12/2010 10:06 AM, Dirk-Willem van Gulik wrote: On 12

Re: [PATCH] mod_cgi: Mitigating some header injections by dropping invalid headers?

2010-11-22 Thread Malte S. Stretz
On Monday 18 October 2010 12:28:12 Malte S. Stretz wrote: On Tuesday 12 October 2010 19:49:02 Malte S. Stretz wrote: On Tuesday 12 October 2010 18:13:46 William A. Rowe Jr. wrote: On 10/12/2010 10:06 AM, Dirk-Willem van Gulik wrote: On 12 Oct 2010, at 15:30, Malte S. Stretz wrote: I

Re: [PATCH] mod_cgi: Mitigating some header injections by dropping invalid headers?

2010-10-18 Thread Malte S. Stretz
On Tuesday 12 October 2010 19:49:02 Malte S. Stretz wrote: On Tuesday 12 October 2010 18:13:46 William A. Rowe Jr. wrote: On 10/12/2010 10:06 AM, Dirk-Willem van Gulik wrote: On 12 Oct 2010, at 15:30, Malte S. Stretz wrote: I had a quick look at the Apache source and the solution was

[PATCH] mod_cgi: Mitigating some header injections by dropping invalid headers?

2010-10-12 Thread Malte S. Stretz
Hi folks, a few days ago on a bored afternoon thumbed through the Unusual Web Bugs presentation [1] from 24C3. On slide 19/20 the author shows a way to inject otherwise filtered headers from Flash into CGI scripts. This is caused by sloppy filtering on the client side and the simple

Re: [PATCH] mod_cgi: Mitigating some header injections by dropping invalid headers?

2010-10-12 Thread Dirk-Willem van Gulik
On 12 Oct 2010, at 15:30, Malte S. Stretz wrote: I had a quick look at the Apache source and the solution was simple: Just drop headers which contain any character outside the range [a-zA-Z0-9-]. The patch against trunk is attached. This made me think of something we had a while ago; and

Re: [PATCH] mod_cgi: Mitigating some header injections by dropping invalid headers?

2010-10-12 Thread William A. Rowe Jr.
On 10/12/2010 10:06 AM, Dirk-Willem van Gulik wrote: On 12 Oct 2010, at 15:30, Malte S. Stretz wrote: I had a quick look at the Apache source and the solution was simple: Just drop headers which contain any character outside the range [a-zA-Z0-9-]. The patch against trunk is attached.

Re: [PATCH] mod_cgi: Mitigating some header injections by dropping invalid headers?

2010-10-12 Thread Malte S. Stretz
On Tuesday 12 October 2010 18:13:46 William A. Rowe Jr. wrote: On 10/12/2010 10:06 AM, Dirk-Willem van Gulik wrote: On 12 Oct 2010, at 15:30, Malte S. Stretz wrote: I had a quick look at the Apache source and the solution was simple: Just drop headers which contain any character outside