Web lists-archives.com

Re: why does latest jessie apache2 reject _ in http request path?




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Mar 08, 2017 at 09:07:53AM +0200, Juha Heinanen wrote:
> My web app stopped working in apache2 2.4.10-10+deb8u8 and looks like
> the reason is this:
> 
>   * CVE-2016-8743: Enforce more HTTP conformance for request lines and
>     request headers, to prevent response splitting and cache pollution
>     by malicious clients or downstream proxies.
>     If this causes problems with non-conforming clients, some checks can
>     be relaxed by adding the new directive 'HttpProtocolOptions unsafe'
>     to the configuration.
>     Differently than the upstream 2.4.25 release which will also be in the
>     Debian 9 (stretch) release, this update for Debian 8 (jessie) accepts
>     underscores in host and domain names even while 'HttpProtocolOptions
                     ^^^^     ^^^^^^
>     strict' is in effect.
>     More information is available at
>     http://httpd.apache.org/docs/2.4/mod/core.html#httpprotocoloptions
> 
> I checked at the referenced RFCs and underscore IS a valid character in
> a segment (rfc3986):
    ^^^^^^^

Note the underscored parts. You are talking about (path) segments.
Underscore is fine there. Problem is host and domain names, and 3986 is
pretty deliberately handwavy there (3.2.2 host). Apart from IP addresses
it refers to good ol' DNS (1123, 952. Ah, Those folks knew how to write
RFCs ;-), which *doesn't* include underscore (but dash). But then it
goes on to say that you can locally do what you want with the host part
anyway, and that it hasn't to be tied to the DNS (even percent-encode
it, yikes).

So the restriction up there is pure prudence (but actually makes sense
to me).

Regards
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAli/y5QACgkQBcgs9XrR2kaB3gCdFPiUnELQippWf8rR1S03MFK+
fhUAn37WSCnBj3/52UQ2bcuBzc/+l92p
=tS21
-----END PGP SIGNATURE-----