W3C home > Mailing lists > Public > public-appformats@w3.org > May 2008

Re: [AC] URI canonicalization problem with Access-Control-Policy-Path

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 14 May 2008 22:47:11 +0000 (UTC)
To: Jonas Sicking <jonas@sicking.cc>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <Pine.LNX.4.62.0805142228470.12907@hixie.dreamhostps.com>

On Wed, 14 May 2008, Jonas Sicking wrote:
> However, apparently there are servers out there that canonicalize URIs 
> differently from rfc2396 by treating "\" characters as path separators. 
> An attacker can use this to attack a server configured as above.
> It first sends a POST to "/apis", this makes the UA cache the above 
> policy for 10h. It then sends a POST to "/apis/..\admin.cgi"
> To a UA it looks like this is a POST to the file "..\admin.cgi" in the 
> "apis" directory. However there are apparently servers out there that 
> will canonicalize the above to /admin.cgi and thus treat it as a POST to 
> that URI, which may not be safe.

Specifically, this is a bug present in IIS. For example:


...returns the same content as:


This bug is even present if you escape the "\"s and "."s:


> Not really sure how to fix this short of disabling the whole 
> Access-Control-Policy-Path feature. Especially if we assume that there 
> are other canonicalization behaviors out there as well.

Indeed. It would be sad to lose this, but I don't see a better solution. 
Maybe we should just put a warning in the spec that if you're using IIS 
you shouldn't use this feature?

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 14 May 2008 22:47:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:23 UTC