You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by "Paul J.Lavoie" <pj...@ilx.com> on 1998/09/10 23:16:56 UTC

mod_proxy/2987: proxy agent does not pass '?' in password field

>Number:         2987
>Category:       mod_proxy
>Synopsis:       proxy agent does not pass '?' in password field
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Thu Sep 10 14:20:00 PDT 1998
>Last-Modified:
>Originator:     pjl@ilx.com
>Organization:
apache
>Release:        1.3.1
>Environment:
NetBSD 1.3, gcc 2.7.2.2
>Description:
An attempt to usa apache as a proxy agent for ftp traffic fails if the 
character '?' (0x3f ascii)` needs to be passed. By default, the web server
will respond with an improper response to a ftp client, with the error_log 
showing 'error reading the headers'

Attempts to use the escape '%3f', which works with CERN's server version 3.0,
returns a '500 Proxy Error', apparently partially parsing the password as the 
access log shows the password as having been accepted, and the ftp site shows
an attempt to connect with an invalid password.

The clients used to test this were NetBSD's ftp client and various versions
of Netscape Communicator v4.0x
>How-To-Repeat:
1) Set an ftp account with a password that contains a '?'
2) Attempt to retrieve a file with the url of:
	ftp://user:passwd@host/some/file
where passwd has a '?' or '%3f'
>Fix:
I tried looking through the code and got somewhat befuddled. It would appear
that the proxy module does the right thing, but the request gets muddled 
somewhere in the main server. But then again...
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]