Re: [AC] URI canonicalization problem with Access-Control-Policy-Path from Bjoern Hoehrmann on 2008-05-16 (public-appformats@w3.org from May 2008)

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Fri, 16 May 2008 18:44:43 +0200
To: Jonas Sicking <jonas@sicking.cc>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <b4ar241shgkpbigfoctj8140dajur9js8r@hive.bjoern.hoehrmann.de>

* Jonas Sicking wrote:
>Mozilla has received input that some servers canonicalize URIs in ways
>that are incompatible with rfc2396. This can lead to security issues
>with the Access-Control-Policy-Path header. Consider the following:

You have the terminology slightly wrong here, canonicalisation would be
the process of turning a resource identifier into a normal, canonical
form. Your issue however is really about how the path and query part of
a resource identifier are interpreted by a server, e.g. when mapping the
identifier to the local filesystem. That is entirely up to the server,
there is nothing incompatible or incorrect about this.

(Note by the way that the backslash is not allowed in resource identi-
fiers, a browser should only ever send the escaped form, though that
has little effect on the issue).

>Not really sure how to fix this short of disabling the whole 
>Access-Control-Policy-Path feature. Especially if we assume that there 
>are other canonicalization behaviors out there as well.

That would be a safe bet, for example, an Apache configuration like:

  RewriteCond %{QUERY_STRING} for=([^&;]+)
  RewriteRule ^apis/search /scripts/%1.php [L]

would map /apis/search?for=images to /scripts/images.php, but would
also map /apis/search?for=../admin/example to /admin/example.php in-
ternally, so posting to one would be like posting to the other. There
http://www.google.com/codesearch?q=query_string+rewriterule.*%251 are
quite a few techniques similar to this in use.

I didn't follow the introduction of this feature, and couldn't find
much information that demonstrates how a feature like it is needed or
would pay off, but if introduced, the scope should always be the whole
triple of scheme, host, and port, not individual paths. As you note,
the effect will often be the same either way.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

Received on Friday, 16 May 2008 16:45:23 UTC