You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Mike - EMAIL IGNORED <m_...@yahoo.com> on 2006/06/19 18:21:22 UTC
[users@httpd] RE: /my.html#mySection
On Mon, 19 Jun 2006 09:05:42 +0200, Boyle Owen wrote:
>> -----Original Message-----
>> From: news [mailto:news@sea.gmane.org] On Behalf Of Mike -
>> EMAIL IGNORED
>> Sent: Sunday, June 18, 2006 4:09 AM
>> To: users@httpd.apache.org
>> Subject: [users@httpd] /my.html#mySection
>>
>> I have seen in several browsers that requests such as
>>
>> http://www.xxx.net/my.html#mySection
>>
>> get to the server without the #mySection . The page
>> is delivered and the #mySection is resolved locally
>> by the browser, as would seem to be appropriate.
>
> I've read your post a few times but can't understand it. Can you try to
> explain again what the problem is?
>
> Please don't assume we know anything about your set-up (OS, version, for
> example). BTW, do you really put "#" in the URL or is it shorthand for
> something? (# is an unsafe character...)
>
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored.
>
>>
>> Now my CGI does not know about #mySection. If it
>> were to get a GET with the #mySection on it, it
>> would throw an exception, and return a 403.
>>
>> This is exactly what just happened. The log line
>> appears normal except for this.
>>
>> What should I make of this? I could strip off
>> the #mySection in the CGI, and otherwise process
>> normally. Is there some hidden threat here?
>>
>> Thanks for your advice.
>> Mike.
>>
>>
[...]
# uname -a
Linux mbrc20 2.6.14-1.1656_FC4 #1 Thu Jan 5 22:13:22
EST 2006 i686 i686 i386 GNU/Linux
Here is a (slightly edited with XXX YYY ZZZ) log line
from httpd-2.0.54-10.3 :
64.233.173.67 - - [18/Jun/2006:14:03:11 -0400]
"GET /XXX/XXX/YYY.html#ZZZ
HTTP/1.1" 403 - "http://www.XXX.net/religion/XXX/XXX/YYY.html"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1
.NET CLR 1.1.4322)"
As you can see, good practice notwithstanding, there is a #YYY
in the GET. I have confirmed this by examining the incoming
packet captured with tethereal (ethereal-0.10.13-1.FC4.2) .
Now the #ZZZ is legitimate in the sense that my YYY.html does
contain that hypertext. However, in my experience, browsers do
not normally send the #ZZZ, as explained above.
My question is "how should I respond to it?" Here are choices:
1. Send 403 (Forbidden), which is what I do now.
2. Strip the #ZZZ in my CGI and YYY.html normally.
3. Something else I didn't think of.
Additionally, I wonder why the #ZZZ appeared in the first place.
Thanks for your interest in this.
Mike.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Re: RE: /my.html#mySection
Posted by Mike - EMAIL IGNORED <m_...@yahoo.com>.
On Wed, 21 Jun 2006 09:33:46 +0100, Pid wrote:
>
>
> Mike - EMAIL IGNORED wrote:
>> On Tue, 20 Jun 2006 08:42:33 -0600, David Salisbury wrote:
>>
>> [...]
>> The occasional appearance of #ZZZ in my logs therefore still remains
>> a mystery. By the way, I can duplicate it if I use nc on another
>> Linux box to send an (in)appropriate GET.
>
> Which user-agent is present in the log line? (sorry if I missed this
> from earlier).
> Any badly behaved bot might not be stripping the fragment before it
> crawls the next URL.
>
64.233.173.67 - - [18/Jun/2006:14:03:11 -0400]
"GET /XXX/XXX/YYY.html#ZZZ
HTTP/1.1" 403 - "http://www.XXX.net/XXX/XXX/YYY.html"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1
.NET CLR 1.1.4322)"
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: RE: /my.html#mySection
Posted by Pid <p...@pidster.com>.
Mike - EMAIL IGNORED wrote:
> On Tue, 20 Jun 2006 08:42:33 -0600, David Salisbury wrote:
>
> [...]
> The occasional appearance of #ZZZ in my logs therefore still remains
> a mystery. By the way, I can duplicate it if I use nc on another
> Linux box to send an (in)appropriate GET.
Which user-agent is present in the log line? (sorry if I missed this
from earlier).
Any badly behaved bot might not be stripping the fragment before it
crawls the next URL.
> Mike.
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: RE: /my.html#mySection
Posted by Mike - EMAIL IGNORED <m_...@yahoo.com>.
On Tue, 20 Jun 2006 08:42:33 -0600, David Salisbury wrote:
[...]
>>
>>> Additionally, I wonder why the #ZZZ appeared in the first place.
>>
>> a bug in the client I guess, I've seen this problem in some proxy server's
>> mailing list...
>
> I would guess all that happened was the user bookmarked the page with the anchor.
> I can't imagine it's a security problem.
>
>
> -ds
>
[...]
I just tried the bookmarking idea with both Firefox and Internet
Explorer. In each case, I went to a page and an anchor in the middle, and
bookmarked. I then closed the browser, reopened, and selected the
bookmark. In each case, the correct display appeared. In neither case
did the anchor (#ZZZ) appear in the httpd log. Since my CGI sends 403 if
it sees #ZZZ, we can safely assume that the browsers did not send it.
The occasional appearance of #ZZZ in my logs therefore still remains
a mystery. By the way, I can duplicate it if I use nc on another
Linux box to send an (in)appropriate GET.
Mike.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RE: /my.html#mySection
Posted by David Salisbury <sa...@globe.gov>.
>> Now the #ZZZ is legitimate in the sense that my YYY.html does
>> contain that hypertext. However, in my experience, browsers do
>> not normally send the #ZZZ, as explained above.
>>
>> My question is "how should I respond to it?" Here are choices:
>>
>> 1. Send 403 (Forbidden), which is what I do now.
>> 2. Strip the #ZZZ in my CGI and YYY.html normally.
>> 3. Something else I didn't think of.
>
> I vote for 1.
>
>> Additionally, I wonder why the #ZZZ appeared in the first place.
>
> a bug in the client I guess, I've seen this problem in some proxy server's
> mailing list...
I would guess all that happened was the user bookmarked the page with the anchor.
I can't imagine it's a security problem.
-ds
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RE: /my.html#mySection
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 19.06.06 12:21, Mike - EMAIL IGNORED wrote:
> 64.233.173.67 - - [18/Jun/2006:14:03:11 -0400]
> "GET /XXX/XXX/YYY.html#ZZZ
> HTTP/1.1" 403 - "http://www.XXX.net/religion/XXX/XXX/YYY.html"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1
> .NET CLR 1.1.4322)"
>
> As you can see, good practice notwithstanding, there is a #YYY
> in the GET. I have confirmed this by examining the incoming
> packet captured with tethereal (ethereal-0.10.13-1.FC4.2) .
>
> Now the #ZZZ is legitimate in the sense that my YYY.html does
> contain that hypertext. However, in my experience, browsers do
> not normally send the #ZZZ, as explained above.
>
> My question is "how should I respond to it?" Here are choices:
>
> 1. Send 403 (Forbidden), which is what I do now.
> 2. Strip the #ZZZ in my CGI and YYY.html normally.
> 3. Something else I didn't think of.
I vote for 1.
> Additionally, I wonder why the #ZZZ appeared in the first place.
a bug in the client I guess, I've seen this problem in some proxy server's
mailing list...
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org