Bug 42990 - modrewrite do not decode hex econde uri
Summary: modrewrite do not decode hex econde uri
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Other Modules (show other bugs)
Version: 2.0.54
Hardware: All Linux
: P2 major (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: RFC, TestID
Depends on:
Reported: 2007-07-27 10:00 UTC by Alessandro Fiorenzi
Modified: 2007-07-30 13:02 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Alessandro Fiorenzi 2007-07-27 10:00:31 UTC
usind RewriteRule on proxy to match access to /cosole/  ofapplication server
console and to catch xss attack and redirect them outside has a problem

using on a virtual host this rewriterule:

RewriteRule ^/console/(.*) 	http://www.mynewdomain.it/$1 [L,P]

If I use on my browser http://www.mydomain.it/console/ it works
If I use on my browser http://www.mydomain.it/%63%6f%6e%73%6f%6c%65%2f that is
the hex format of "console/" it does not match and get an error like "The
requested URL /console/ was not found on this server"

using hex encoding I could potentially bypass Rewrite Engine rule, and bypass
proxy pass rule with result of access to part of site not available to everyone
and directory traversal of site or of proxy.
Comment 1 Joshua Slive 2007-07-30 10:25:31 UTC
So, why exactly didn't you read/respond to the thread that you raised on
users@httpd.apache.org before filing this bug?

Anyway, the character '/' is in the RFC 2396 "reserved" set and is therefore not
equivalent to its hex encoding. Apache httpd ALWAYS responds with a 404 to
requests containing %2f unless AllowEncodedSlashes is set on. Therefore there is
no possibility to bypass rewriterules.