On Fri, Jun 08, 2012 at 08:19:22AM -0400, Jeff Trawick wrote:
> On Fri, Jun 8, 2012 at 4:58 AM, Joe Orton wrote:
> > Yes, but that was exactly the previous state: the security implication
> > of doing crazy stuff with rewrite rules really is totally unknown. I
> > wouldn't say "infrequently used
On Fri, Jun 8, 2012 at 4:58 AM, Joe Orton wrote:
> On Thu, Jun 07, 2012 at 01:14:37PM -0400, Jeff Trawick wrote:
>> On Thu, Jun 7, 2012 at 11:55 AM, Joe Orton wrote:
>> > I like Eric's suggestion of an opt-in RewriteOption. This will avoid
>> > having to iterate yet again if the whitelist is eit
On 08.06.2012 10:58, Plüm, Rüdiger, Vodafone Group wrote:
-Original Message-
From: Joe Orton
Sent: Freitag, 8. Juni 2012 10:38
To: dev@httpd.apache.org
Subject: Re: post-CVE-2011-4317 (rewrite proxy unintended
interpolation) rewrite PR's
On Thu, Jun 07, 2012 at 01:23:29PM -0400,
> -Original Message-
> From: Joe Orton
> Sent: Freitag, 8. Juni 2012 10:38
> To: dev@httpd.apache.org
> Subject: Re: post-CVE-2011-4317 (rewrite proxy unintended
> interpolation) rewrite PR's
>
> On Thu, Jun 07, 2012 at 01:23:29PM -0400, Eric Covener wrote
On Thu, Jun 07, 2012 at 01:14:37PM -0400, Jeff Trawick wrote:
> On Thu, Jun 7, 2012 at 11:55 AM, Joe Orton wrote:
> > I like Eric's suggestion of an opt-in RewriteOption. This will avoid
> > having to iterate yet again if the whitelist is either too broad or too
> > narrow, and can make the secur
On Thu, Jun 07, 2012 at 01:23:29PM -0400, Eric Covener wrote:
> e.g. RewriteOptions +"I know I'm running this regex against something
> that's not guaranteed to look like a URL-path, and I'll write a regex
> that carefully matches/captures the input"
How about this? I'm not sure how to put the ri
> -Original Message-
> From: Eric Covener []
> Sent: Donnerstag, 7. Juni 2012 19:23
> To: dev@httpd.apache.org
> Subject: Re: post-CVE-2011-4317 (rewrite proxy unintended
> interpolation) rewrite PR's
>
> On Thu, Jun 7, 2012 at 1:14 PM, Jeff Trawick wrote:
On Thu, Jun 7, 2012 at 1:14 PM, Jeff Trawick wrote:
> On Thu, Jun 7, 2012 at 11:55 AM, Joe Orton wrote:
>> On Wed, Jun 06, 2012 at 09:08:02PM -0400, Jeff Trawick wrote:
>>> Here are some valid requests which fail the 4317 checks:
>>>
>>> CONNECT foo.example.com[:port]
>>> GET http://foo.example.c
On Thu, Jun 7, 2012 at 11:55 AM, Joe Orton wrote:
> On Wed, Jun 06, 2012 at 09:08:02PM -0400, Jeff Trawick wrote:
>> Here are some valid requests which fail the 4317 checks:
>>
>> CONNECT foo.example.com[:port]
>> GET http://foo.example.com
>> GET proxy:http://foo.example.com/ (rewriting someth
On Wed, Jun 06, 2012 at 09:08:02PM -0400, Jeff Trawick wrote:
> Here are some valid requests which fail the 4317 checks:
>
> CONNECT foo.example.com[:port]
> GET http://foo.example.com
> GET proxy:http://foo.example.com/(rewriting something which was
> already proxied internally)
>
> I am lea
On Sat, May 26, 2012 at 9:19 AM, Rainer Jung wrote:
> On 24.05.2012 17:12, Eric Covener wrote:
>>
>> There are a couple of PR's going around about people who were using
>> rewrite to operate on URL's now kicked out of mod_rewrite by default
>> (IIRC at least proxy:blah and CONNECT arg)
>>
>> Shoul
On 24.05.2012 17:12, Eric Covener wrote:
There are a couple of PR's going around about people who were using
rewrite to operate on URL's now kicked out of mod_rewrite by default
(IIRC at least proxy:blah and CONNECT arg)
Should we just add a mod_rewrite directive or RewriteOption that opts
in to
There are a couple of PR's going around about people who were using
rewrite to operate on URL's now kicked out of mod_rewrite by default
(IIRC at least proxy:blah and CONNECT arg)
Should we just add a mod_rewrite directive or RewriteOption that opts
in to handling any URL and document the cautions
13 matches
Mail list logo