You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2017/10/27 10:01:48 UTC

[Bug 61676] New: Unable to handle unescaped whitespace in URL with HttpProtocolOptions Unsafe

https://bz.apache.org/bugzilla/show_bug.cgi?id=61676

            Bug ID: 61676
           Summary: Unable to handle unescaped whitespace in URL with
                    HttpProtocolOptions Unsafe
           Product: Apache httpd-2
           Version: 2.4.28
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P2
         Component: All
          Assignee: bugs@httpd.apache.org
          Reporter: mail@oliwel.de
  Target Milestone: ---

The new option "HttpProtocolOptions Strict" prevents requests with an unescaped
whitespace such as:

   GET /Hallo Welt HTTP/1.0

or also   

   GET /index.php?paramHallo Welt HTTP/1.0

With an error message of: AH03448: HTTP Request Line; Excess whitespace
(disallowed by HttpProtocolOptions Strict

For my understanding, setting "HttpProtocolOptions = Unsafe" should bring back
the old behaviour but it seems like the URL parser is unable to handle the
extra whitespace:

AH03449: HTTP Request Line; Extraneous text found 'HTTP/1.0' (perhaps
whitespace was injected?)

Based on the comment in Bug 60738
https://bz.apache.org/bugzilla/show_bug.cgi?id=60783#c2, the Unsafe flag should
*not* turn of whitespace checking and all and keep with the original policy
error as quoted above. If still allowed with Unsafe, it should be properly
handled by the next layers.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 61676] Unable to handle unescaped whitespace in URL with HttpProtocolOptions Unsafe

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=61676

Eric Covener <co...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #1 from Eric Covener <co...@gmail.com> ---
By default, the parser finds extra whitespace after Welt, not before it. This
part can be permitted with Unsafe.

But when you get farther, you still have a totally unexpected token since
"Welt" is interpreted as the version as the protocol uses spaces for
delimeters.

I don't think even under Unsafe we want to hunt around and try to sort
out that the next token looks more like an HTTP version.  Invalid and
malicious share too much.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 61676] Unable to handle unescaped whitespace in URL with HttpProtocolOptions Unsafe

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=61676

--- Comment #2 from Oliver Welter <ma...@oliwel.de> ---
As I already wrote myself, I can understand to NOT fix it but then the
whitespace should already be rejected at the parser level and not pass thru
this stage.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 61676] Unable to handle unescaped whitespace in URL with HttpProtocolOptions Unsafe

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=61676

--- Comment #3 from Eric Covener <co...@gmail.com> ---
(In reply to Oliver Welter from comment #2)
> As I already wrote myself, I can understand to NOT fix it but then the
> whitespace should already be rejected at the parser level and not pass thru
> this stage.

Sorry, but i don't see how altering it further for this one doomed set of
input really helps. I don't think the externals are good here, but to me
ignoring leading/trailing whitespace is one thing (unsafe) but throwing
away or merging tokens is another entirely (doomed).  The errors are
simply reported as they're encountered, left to right.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org