- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Fri, 16 May 2008 18:44:43 +0200
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
* Jonas Sicking wrote: >Mozilla has received input that some servers canonicalize URIs in ways >that are incompatible with rfc2396. This can lead to security issues >with the Access-Control-Policy-Path header. Consider the following: You have the terminology slightly wrong here, canonicalisation would be the process of turning a resource identifier into a normal, canonical form. Your issue however is really about how the path and query part of a resource identifier are interpreted by a server, e.g. when mapping the identifier to the local filesystem. That is entirely up to the server, there is nothing incompatible or incorrect about this. (Note by the way that the backslash is not allowed in resource identi- fiers, a browser should only ever send the escaped form, though that has little effect on the issue). >Not really sure how to fix this short of disabling the whole >Access-Control-Policy-Path feature. Especially if we assume that there >are other canonicalization behaviors out there as well. That would be a safe bet, for example, an Apache configuration like: RewriteCond %{QUERY_STRING} for=([^&;]+) RewriteRule ^apis/search /scripts/%1.php [L] would map /apis/search?for=images to /scripts/images.php, but would also map /apis/search?for=../admin/example to /admin/example.php in- ternally, so posting to one would be like posting to the other. There http://www.google.com/codesearch?q=query_string+rewriterule.*%251 are quite a few techniques similar to this in use. I didn't follow the introduction of this feature, and couldn't find much information that demonstrates how a feature like it is needed or would pay off, but if introduced, the scope should always be the whole triple of scheme, host, and port, not individual paths. As you note, the effect will often be the same either way. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de 68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Friday, 16 May 2008 16:45:23 UTC