You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2016/07/28 20:12:25 UTC

[Bug 59456] Headers set with RequestHeader containing underscores in the name can be spoofed by clients

https://bz.apache.org/bugzilla/show_bug.cgi?id=59456

ScottE <ls...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #1 from ScottE <ls...@gmail.com> ---
I'm a bit surprised that nobody has jumped on this as it's NOT an Apache issue.
I did not do my due diligence on this, and it turns out to entirely be a
problem in the request processing framework of the application Apache is
proxying requests to. It turns out that some frameworks follow old CGI specs
that prohibit hyphens ("-") in request header names. Apache is passing along
both it's header and the client-generated headers, but the proxied framework
converts "-" to "_" which results in a map/dictionary key collision.

The net results of this is my "Do this" advise is wrong and better advice (if
you have no control over what the request processing code does) is use
constructs like:

RequestHeader set SSLCLIENTVERIFY "%{SSL_CLIENT_VERIFY}s"  # Do this

I.e. mitigate the issue completely by avoiding "-" and "_" entirely.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org