You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Dirk-Willem van Gulik <di...@covalent.net> on 2001/10/16 21:05:00 UTC
ServerString
Whilst putting together a set-server-string patch: how strickt should we
be on the char's allowed in such string. IMHO we should block things like
\r and \n in it - to stop .htaccess file naughtyness being able to forge
fake headers and so on.
But can we justify to be more strickt and only allow A-z0-9 and /.-_;()
and space ? Or would that stop an experienced admin too much - and rob him
of her from rightfull shoot-in-the-foot pleasure ?
Dw
Re: ServerString
Posted by Aaron Bannert <aa...@clove.org>.
On Tue, Oct 16, 2001 at 12:05:00PM -0700, Dirk-Willem van Gulik wrote:
>
> Whilst putting together a set-server-string patch: how strickt should we
> be on the char's allowed in such string. IMHO we should block things like
> \r and \n in it - to stop .htaccess file naughtyness being able to forge
> fake headers and so on.
>
> But can we justify to be more strickt and only allow A-z0-9 and /.-_;()
> and space ? Or would that stop an experienced admin too much - and rob him
> of her from rightfull shoot-in-the-foot pleasure ?
I think [-/._;()a-zA-Z0-9] is a good place to start (in ASCII-land).
If that is too restrictive we could always expand, but better to be safe
than sorry. Maybe a compile-time option to override the restrictions
would still allow an amount of shoot-in-the-foot goodness.
-aaron
Re: ServerString
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
Dirk-Willem van Gulik wrote:
>
> Whilst putting together a set-server-string patch:
> how strickt should we be on the char's allowed in
> such string. IMHO we should block things like
> \r and \n in it - to stop .htaccess file naughtyness
> being able to forge fake headers and so on.
I don't think we want to allow it in .htaccess files
at all. Only in server config files. As for restrictions..
yes, don't permit anything not allowed by the RFC in a
response header field value.
--
#ken P-)}
Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/
Author, developer, opinionist http://Apache-Server.Com/
"All right everyone! Step away from the glowing hamburger!"