Bugs still present in 1.2.4 (fwd)

[Rob Hartill <ro...@imdb.com>]

Not acked.

Our %2f handling used to be deliberate for security hole avoidance.

Is it still a feature or now a bug ?


---------- Forwarded message ----------
Date: Thu, 18 Sep 1997 12:44:05 -0400
From: David Fielding <fi...@exchange.CS.Cornell.edu>
To: apache-bugs@apache.org
Subject: Bugs still present in 1.2.4

Apache bugs:

[Please take the tone of this message as a simple inquiry into a bug we
reported over a year ago. Recently our customers have been asking if the
old bug we claim is stopping them from using Apache still exists. I am
now investigating this bug and it appears to still be a problem. Don't
take this as some screaming at you, as I realize one might if you read
it the wrong way.]

In checking your web site I see that you have yet to fix the problem
with PATH_INFO containing encode slashes (%2f). This is reported as
PR#543 entered on May 4, 1997. We reported this problem with supporting
%2f in PATH_INFO over a year ago. Since then we have been advising many
of our institutional sites that run our digital library software
(Dienst/NCSTRL) that Apache does not work due to a bug.

http://ncstrl/Dienst/htdocs/dienst_install/faq_install.html#Question2

Jim Davis (Cornell/Xerox) reported this bug June 14th of last year.
Apache folks acknowledged this bug. His report does not show up in your
bug tracking system. (At least I am unable to find it)

PR#543 takes the tone this bug us not important and is not a priority to
get fixed. Its been over a year
and I am wondering if you have any idea when you will fix this problem?

I see more and more sites that are attempting to set up NCSTRL servers
with Apache only to find
out about this bug and that they need CERN/NCSA software. Most switch or
set up and extra server.

We have had a few people ask if our FAQ message from 8/96 telling folks
not to use Apache is still valid. They feel the bug must have been fixed
by now. 

I guess I am surprised that a "bug" could get ignored for so long,
especially when it does not sound like a very difficult bug to track
down and fix. I hope you will increase the priority of this bug and let
us know when we can start telling people they can use Apache.

Thanks,
David

Re: Bugs still present in 1.2.4 (fwd)

[Brian Behlendorf <br...@organic.com>]

At 03:57 PM 9/18/97 -0700, Roy T. Fielding wrote:
>I did respond to Jim (and a few other Dienst folks) last year, and my
>response was quite clear about why it is NOT a bug in Apache.  It was
>a deliberate plug of a security hole in some broken CGI scripts.
>We didn't "fix" the problem because we didn't want to reintroduce the
>security hole.
>
>We should find another way to avoid the security hole, but they could
>have just as easily (and more correctly) avoided using %2F in Dienst.
>That is why it was not a priority.

Is this bug in any of the CGI scripts in 1.2.4?

	Brian


--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
"it's a big world, with lots of records to play." - sig   brian@organic.com

Re: Bugs still present in 1.2.4 (fwd)

[Dean Gaudet <dg...@arctic.org>]

Hi David,

Prior to october 96 we didn't have any accurate method of tracking bugs. 
That's when we instituted the bug tracking system.  The bug report you're
talking about was carried around by hand in our regular status reports for
a long time before being entered ... and I think it's safe to say that in
may 97 we were all pretty tired from a grueling 1.2 beta cycle where we
cleared out a lot of stuff.

PR#543 has been the topic of recent discussion, and more related PRs.  The
reason it hasn't been solved yet is that we have concerns about security
issues involving %2F.  But given that one of my consulting clients has
probed me on the issue I'll probably dig into it more in the next few
weeks.

The URL you gave below doesn't have a fully qualified host name, could you
supply the full hostname?  Thanks. 

Dean

On Thu, 18 Sep 1997, Rob Hartill wrote:

> ---------- Forwarded message ----------
> Date: Thu, 18 Sep 1997 12:44:05 -0400
> From: David Fielding <fi...@exchange.CS.Cornell.edu>
> To: apache-bugs@apache.org
> Subject: Bugs still present in 1.2.4
> 
> Apache bugs:
> 
> [Please take the tone of this message as a simple inquiry into a bug we
> reported over a year ago. Recently our customers have been asking if the
> old bug we claim is stopping them from using Apache still exists. I am
> now investigating this bug and it appears to still be a problem. Don't
> take this as some screaming at you, as I realize one might if you read
> it the wrong way.]
> 
> In checking your web site I see that you have yet to fix the problem
> with PATH_INFO containing encode slashes (%2f). This is reported as
> PR#543 entered on May 4, 1997. We reported this problem with supporting
> %2f in PATH_INFO over a year ago. Since then we have been advising many
> of our institutional sites that run our digital library software
> (Dienst/NCSTRL) that Apache does not work due to a bug.
> 
> http://ncstrl/Dienst/htdocs/dienst_install/faq_install.html#Question2
> 
> Jim Davis (Cornell/Xerox) reported this bug June 14th of last year.
> Apache folks acknowledged this bug. His report does not show up in your
> bug tracking system. (At least I am unable to find it)
> 
> PR#543 takes the tone this bug us not important and is not a priority to
> get fixed. Its been over a year
> and I am wondering if you have any idea when you will fix this problem?
> 
> I see more and more sites that are attempting to set up NCSTRL servers
> with Apache only to find
> out about this bug and that they need CERN/NCSA software. Most switch or
> set up and extra server.
> 
> We have had a few people ask if our FAQ message from 8/96 telling folks
> not to use Apache is still valid. They feel the bug must have been fixed
> by now. 
> 
> I guess I am surprised that a "bug" could get ignored for so long,
> especially when it does not sound like a very difficult bug to track
> down and fix. I hope you will increase the priority of this bug and let
> us know when we can start telling people they can use Apache.
> 
> Thanks,
> David
> 
>