Received: (qmail 74661 invoked by uid 501); 8 Dec 2000 15:54:54 -0000 Message-Id: <20001208155453.74660.qmail@locus.apache.org> Date: 8 Dec 2000 15:54:53 -0000 From: Vladislav Shulgin Reply-To: shulya@sputnikmedia.net To: submit@bugz.apache.org Subject: RewriteMap problem X-Send-Pr-Version: 3.110 >Number: 6950 >Category: mod_rewrite >Synopsis: RewriteMap problem >Confidential: no >Severity: critical >Priority: medium >Responsible: apache >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Fri Dec 08 08:00:02 PST 2000 >Closed-Date: Fri Dec 08 20:03:34 PST 2000 >Last-Modified: Tue Dec 12 12:30:01 PST 2000 >Originator: shulya@sputnikmedia.net >Release: 1.3.14 >Organization: >Environment: RedHat Linux 6.2 >Description: In My http.conf I have next: RewriteMap my_map prg:/home/web/conf/parser.pl RewriteCond %{HTTP_HOST} !^(www\.)?ukrbiz\.net$ RewriteRule ^(.+)$ ${my_map:%{HTTP_HOST}$1} [L] In 1.3.12 all works fine, but on 1.3.14 passed to my Perl Script parameters is broken. In rewrite log file I found something like that: map lookup FAILED map=ubiz_map key=%{HTTP_HOST May be in new version something happens with parsing and recognising in map key values >How-To-Repeat: Repeat my example of my httpd.conf file in your system and create parser.pl script like that: #!/usr/bin/perl $| = 1; $base_dir = "/home/web/htdocs/kbd/"; while (<>) { print $_; } >Fix: >Release-Note: >Audit-Trail: From: Maurice Cinquini To: Vladislav Shulgin , apbugs@Apache.Org Cc: Subject: Re: mod_rewrite/6950: RewriteMap problem Date: Fri, 08 Dec 2000 17:38:46 -0800 Just about all useful use of RewriteMaps (including the examples in the documentation) has been lost due the a security fix added to 1.3.14, described by this comment: /* * for security reasons this expansion must be perfomed in a * single pass, otherwise an attacker can arrange for the result * of an earlier expansion to include expansion specifiers that * are interpreted by a later expansion, producing results that * were not intended by the administrator. */ If the map key contains a variable, that variable no longer gets expanded! I'm thinking a simple fix is to recursively call do_expand() on the map "key" and "dflt" (default) strings. I think this still secure because only runs do_expand on parts of the substitution pattern that have not been expanded yet. I also note that the code doesn't handle nested map expressions, but I don't think it ever did. State-Changed-From-To: open-closed State-Changed-By: slive State-Changed-When: Fri Dec 8 20:03:34 PST 2000 State-Changed-Why: This is a known bug. Please see http://httpd.apache.org/dist/apache_1.3.14-fix.diff or wait for the next release of Apache, due out in the next week or so. From: Tony Finch To: Maurice Cinquini Cc: apbugs@apache.org Subject: Re: mod_rewrite/6950: RewriteMap problem Date: Tue, 12 Dec 2000 20:28:44 +0000 Maurice Cinquini wrote: > > I'm thinking a simple fix is to recursively call do_expand() on > the map "key" and "dflt" (default) strings. That's exactly the fix that has been committed to CVS. Tony. -- f.a.n.finch fanf@covalent.net dot@dotat.at "Dead! And yet there he stands!" >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]