Summary: | Headers set with RequestHeader containing underscores in the name can be spoofed by clients | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | ScottE <lscotte> |
Component: | mod_headers | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | CLOSED INVALID | ||
Severity: | normal | ||
Priority: | P2 | ||
Version: | 2.4.7 | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | Linux |
Description
ScottE
2016-05-11 00:29:11 UTC
I'm a bit surprised that nobody has jumped on this as it's NOT an Apache issue. I did not do my due diligence on this, and it turns out to entirely be a problem in the request processing framework of the application Apache is proxying requests to. It turns out that some frameworks follow old CGI specs that prohibit hyphens ("-") in request header names. Apache is passing along both it's header and the client-generated headers, but the proxied framework converts "-" to "_" which results in a map/dictionary key collision. The net results of this is my "Do this" advise is wrong and better advice (if you have no control over what the request processing code does) is use constructs like: RequestHeader set SSLCLIENTVERIFY "%{SSL_CLIENT_VERIFY}s" # Do this I.e. mitigate the issue completely by avoiding "-" and "_" entirely. Closing as RESOLVED/INVALID. |