Re: mod_rewrite/1440: Rewrite has problems with urls such as

["Ralf S. Engelschall" <rs...@engelschall.com>]

In article <3....@mail.xxLINK.nl> you wrote:
> At 09:16 23-11-97 -0700, Marc Slemko wrote:

>>All the same, I think this should at least be noted as a possible security
>>risk.
>>Say people are using mod_rewrite for some sort of access control.  It is
>>not intuitive that people can bypass it just by adding '/'s.
>>> 3. When he wants cleanup any double slashes he has
>>>    to do so explicitly, for instance via 
>>>    RewriteRule (.*)//+(.*)  $1/$2  [next]

> That basically means that ANY slash in a RewriteRule should have "/+"
> followed by it in order to be sure that the rule will always work.  I don't
> think you can accept this from webmasters.  In my opinion, mod_rewrite
> should automatically do a s#//#/#g on any input string.

> Even <Location> </Location> takes care of double slashes in URL's properly.
>  I assume the new LocationMatch does so also, otherwise that might be a
> security hole the size you could drive a Mack truck through...  ;-(

Mod_rewrite is an URL rewriting engine, directly operating on the given URL
via rules specified by the user. So, it does only what it is configured to do.
Automatically cleaning up URLs is not good, I think. When someone really
wants this he can easily add the above ruleset to its config.

What does the RFCs say? Is an URL with double slashes equal to the one with
only one slashes? When yes, then - ok - we should make sure even the URL
rewriting engine automatically does the cleanup. If not, we should not do it.

                                       Ralf S. Engelschall
                                       rse@engelschall.com
                                       www.engelschall.com

Re: mod_rewrite/1440: Rewrite has problems with urls such as

[Ben Laurie <be...@algroup.co.uk>]

Elizabeth Mattijsen wrote:
> 
> At 16:30 23-11-97 -0700, Marc Slemko wrote:
> >> Ehh... isn't it actually the underlying filesystem that treats them as
> equal?
> >No.
> >The filesystem treating them as equal never gets to enter into the picture
> >because no2slash() already collapses them.
> 
> Aha!
> 
> Still, the only valid reason I can see for "//" in a URL is as part of a
> protocol specification: so "//" by itself should be collapsed, but "://"
> not...  Wouldn't that fix the problem?

That's not on. Suppose partway through the path you have a CGI, like:
http://somewhere/cgi/script/arg1/arg2, and you want arg1 to be null, so
you get: http://somewhere/cgi/script//arg2 - collapsing the // would be
an error.

Hmmm ... wonder what os_canonical_filename() does to that?

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 735 0686|Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
A.L. Digital Ltd,     |http://www.algroup.co.uk/Apache-SSL
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache

Re: mod_rewrite/1440: Rewrite has problems with urls such as

[Marc Slemko <ma...@worldgate.com>]

On Mon, 24 Nov 1997, Elizabeth Mattijsen wrote:

> At 16:30 23-11-97 -0700, Marc Slemko wrote:
> >> Ehh... isn't it actually the underlying filesystem that treats them as
> equal?
> >No.
> >The filesystem treating them as equal never gets to enter into the picture
> >because no2slash() already collapses them.
> 
> Aha!
> 
> Still, the only valid reason I can see for "//" in a URL is as part of a
> protocol specification: so "//" by itself should be collapsed, but "://"
> not...  Wouldn't that fix the problem?

// is already collapsed, but only in certain places.  It can't be
collapsed everywhere because http://foo?bar//joe or something like that
may be valid and distinct from http://foo?bar/joe.  The problem is that
what mod_rewrite uses is no collapsed when mod_rewrite gets it.

Re: mod_rewrite/1440: Rewrite has problems with urls such as

[Dean Gaudet <dg...@arctic.org>]

I could define a URI as an ordered list of options separated by slashes,
and so // would be an empty value for one of the options. 

Dean

On Mon, 24 Nov 1997, Elizabeth Mattijsen wrote:

> Still, the only valid reason I can see for "//" in a URL is as part of a
> protocol specification: so "//" by itself should be collapsed, but "://"
> not...  Wouldn't that fix the problem?

Re: mod_rewrite/1440: Rewrite has problems with urls such as

[Elizabeth Mattijsen <li...@xxLINK.nl>]

At 16:30 23-11-97 -0700, Marc Slemko wrote:
>> Ehh... isn't it actually the underlying filesystem that treats them as
equal?
>No.
>The filesystem treating them as equal never gets to enter into the picture
>because no2slash() already collapses them.

Aha!

Still, the only valid reason I can see for "//" in a URL is as part of a
protocol specification: so "//" by itself should be collapsed, but "://"
not...  Wouldn't that fix the problem?


Elizabeth Mattijsen
xxLINK Internet Services

Re: mod_rewrite/1440: Rewrite has problems with urls such as

[Marc Slemko <ma...@worldgate.com>]

On Mon, 24 Nov 1997, Elizabeth Mattijsen wrote:

> At 16:19 23-11-97 -0700, Marc Slemko wrote:
> >They are not equal, but the problem is that Apache treats them as equal
> >later on in the processing.
> 
> Ehh... isn't it actually the underlying filesystem that treats them as equal?

No.

cf. a CERT advisory from years and years ago that warned of broken servers
(incl. NCSA at that time, I think) that allowed you to bypass access
control by using multiple '/'s.

The filesystem treating them as equal never gets to enter into the picture
because no2slash() already collapses them.

Re: mod_rewrite/1440: Rewrite has problems with urls such as

[Elizabeth Mattijsen <li...@xxLINK.nl>]

At 16:19 23-11-97 -0700, Marc Slemko wrote:
>They are not equal, but the problem is that Apache treats them as equal
>later on in the processing.

Ehh... isn't it actually the underlying filesystem that treats them as equal?


>...  It is not good when you can slighly modify a
>URL and use that to bypass access controls.  With the current mod_rewrite
>and Apache interactions, you can do this.
>This is a problem.  It is not necessarily mod_rewrite's fault, but it is a
>problem.

Indeed.  It has made me put a thorough check of all RewriteRules in our
servers on my to-do list for the coming week... ;-(  I'd rather be too
paranoid than not paranoid enough.


Elizabeth Mattijsen
xxLINK Internet Services

Re: mod_rewrite/1440: Rewrite has problems with urls such as

[Marc Slemko <ma...@worldgate.com>]

On Sun, 23 Nov 1997, Ralf S. Engelschall wrote:

> What does the RFCs say? Is an URL with double slashes equal to the one with
> only one slashes? When yes, then - ok - we should make sure even the URL
> rewriting engine automatically does the cleanup. If not, we should not do it.
> 

They are not equal, but the problem is that Apache treats them as equal
later on in the processing.  It is not good when you can slighly modify a
URL and use that to bypass access controls.  With the current mod_rewrite
and Apache interactions, you can do this.

This is a problem.  It is not necessarily mod_rewrite's fault, but it is a
problem.