Re: [naviserver-devel] naviserver/tcl fastpath.tcl,1.5,1.6

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Fri, Nov 7, 2008 at 3:12 AM, Vlad Seryakov
<ser...@us...> wrote:

> +     # If address set to 0.0.0.0 in nssock to listen on
> +     # all interfaces we may try to use Host: header to
> +     # return proper urls
> +     #
> +
> +     if { $loc == "http://0.0.0.0" } {
> +       set host [ns_set iget [ns_conn headers] Host]
> +       if { $host != "" } {
> +         set loc http://$host
> +       }
> +     }

You can't take unfiltered input from the host header and then feed it
back to ns_returnredirect as this vulnerable to a response splitting
attack.

  http://www.google.co.uk/search?q=response+splitting

It seems like this may be a more general kind of bug. After all, it's
not just in directory listings that 0.0.0.0 is an invalid host
address. Take a look at conn.c:Ns_ConnLocationAppend() -- looks like
this is where the fix needs to go.

This is a tricky are so add some extra tests in tests/ns_conn_host.test

Re: [naviserver-devel] naviserver/tcl fastpath.tcl,1.5,1.6

NaviServer, a high performance web server written in C and Tcl

Re: [naviserver-devel] naviserver/tcl fastpath.tcl,1.5,1.6