You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Andy Wang <aw...@ptc.com> on 2007/04/13 23:30:06 UTC

bug #42120: Apache improperly handling Path Component parameters?

I just submitted bug 42120.  It appears that Apache is improperly (at 
least I think it's improper) matching Location blocks when doing 
authentication if a path component parameter is passed on.

Specifically, something like this
<Location /webapp/servlet/SomeServlet>
  {Auth stuff}
</Location>

In this scenario, if I hit http://server/webapp/servlet/SomeServlet I'll 
be properly challenged.  However, if I generate a servlet URL with the 
jsession ID as a parameter rather than a cookie, the URL will look 
something like 
http://server/webapp/servlet/SomeServlet;jsessionid=[sessionid] and 
Apache fails to properly challenge for authentication.

There are a number of potential workarounds (LocationMatch, or Multiple 
Location blocks to deal with the ;* pattern) but it does seem like this 
is a bug unless someone can clarify RFC 2396 section 3.3 for me and 
explain why it isn't.

Agree or disagree?

Thanks,
Andy

Re: bug #42120: Apache improperly handling Path Component parameters?

Posted by Jess Holle <je...@ptc.com>.

Nick Kew wrote:
> On Fri, 13 Apr 2007 16:30:06 -0500
> Andy Wang <aw...@ptc.com> wrote:
>   
>> There are a number of potential workarounds (LocationMatch, or
>> Multiple Location blocks to deal with the ;* pattern) but it does
>> seem like this is a bug unless someone can clarify RFC 2396 section
>> 3.3 for me and explain why it isn't.
>>     
> Your reading of the RFC is correct but irrelevant. The semantics of 
> <Location> are (like <Directory>) based on path components.
>   
It's clear they are today, but is that really proper?

Java servlet engines have an encodeURL() API that is the standard means 
of cookie-less session passing and uses exactly this URL syntax.

Thus anyone using Location in conjunction with Java servlet engines may 
be getting unexpected results.  For instance, using Location /x/y/z to 
establish authentication via Apache will not establish authentication on 
/x/y/z;jsessionid=xxx -- yet the servlet engine will treat the two the 
same (except that the latter denotes a particular session).  This is 
thus a security hole for the unaware (if they were using authentication 
to prevent access to those resources, not just to establish identity for 
use of them).

We can certainly change add more Location blocks or use LocationMatch to 
handle /x/y/z;*, but this seems to be a clear disconnect between 
Apache's Location notion and that of both the RFC and Java servlet engines.

I realize that this is an old issue that has been left "as is" for 
years.  We're running into it only now because we normally only allow 
cookie-based session passing but suddenly have cause to support this 
form as well in some corner cases.  While we can work around the issue 
it would seem Location should simply be fixed.

--
Jess Holle

Re: bug #42120: Apache improperly handling Path Component parameters?

Posted by Andy Wang <aw...@ptc.com>.

Nick Kew wrote:
> On Fri, 13 Apr 2007 16:30:06 -0500
> Andy Wang <aw...@ptc.com> wrote:
>
>   
>> There are a number of potential workarounds (LocationMatch, or
>> Multiple Location blocks to deal with the ;* pattern) but it does
>> seem like this is a bug unless someone can clarify RFC 2396 section
>> 3.3 for me and explain why it isn't.
>>     
>
> Your reading of the RFC is correct but irrelevant. The semantics of 
> <Location> are (like <Directory>) based on path components.
>
>
>   
Doesn't that more or less support my interpretation?  If the semantics 
of <Location> are based on path components, and the RFC 2396 section 3.3 
defines the grammar for Path Component, and according to that grammar 
param's are not significant when parsing them, shouldn't apache also not 
include parameter's when attempting to match a URI's path component to a 
<Location> block?

Andy

Re: bug #42120: Apache improperly handling Path Component parameters?

Posted by Nick Kew <ni...@webthing.com>.

On Fri, 13 Apr 2007 16:30:06 -0500
Andy Wang <aw...@ptc.com> wrote:

> There are a number of potential workarounds (LocationMatch, or
> Multiple Location blocks to deal with the ;* pattern) but it does
> seem like this is a bug unless someone can clarify RFC 2396 section
> 3.3 for me and explain why it isn't.

Your reading of the RFC is correct but irrelevant. The semantics of 
<Location> are (like <Directory>) based on path components.


-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/